Ticketmaster Faces Data-Breach Class Action

Hacker stealing passwords and identity, computer crime — Illustration by Boonchai Wedmakawand/Getty Images

Ticketmaster is now facing a class-action lawsuit after hackers accessed the personal information of hundreds of millions of customers earlier this year.

The suit, filed in the U.S. District Court for the Central District of California Oct. 11, alleges that Ticketmaster “could and should” have implemented measures that would have stopped the breach, which the suit says was “avoidable.” The suit seeks at least $5 million in damages, along with attorney’s fees and costs.

In a filing with the Securities and Exchange Commission in June, Ticketmaster’s corporate parent Live Nation confirmed earlier reports that its customer database had been accessed by hackers, saying it “identified unauthorized activity within a third-party cloud database environment” containing primarily Ticketmaster-connected data.

“On May 27, 2024, a criminal threat actor offered what it alleged to be Company user data for sale via the dark web. We are working to mitigate risk to our users and the Company, and have notified and are cooperating with law enforcement. As appropriate, we are also notifying regulatory authorities and users with respect to unauthorized access to personal information,” LN said in the filing.

The ShinyHunters hacking consortium claimed it accessed personal information of more than 560 million Ticketmaster customers and was offering it for sale for $500,000 in a dark web forum.

On an online forum, the hackers said that the stolen data includes the names, addresses and phone numbers of Ticketmaster customers. In addition, it includes order history and partial payment details, including credit card expiration dates and the last four digits of card numbers.

The hackers accessed the information via the Snowflake cloud servers; Snowflake is not named as a defendant in the suit.

ShinyHunters came to prominence in 2020 and 2021 with breaches of, among others, AT&T Wireless, PlutoTV, Microsoft and a number of educational apps and game apps targeted at children.

In January, French programmer Sébastien Raoult, who has ties to the group, was sentenced to three years in prison and ordered to pay $5 million by a federal court in Washington state.

Because of the number of high-profile cyberattacks that preceded it, the lawsuit claims that Ticketmaster’s breach could have been stopped through proper “vendor management.” It further claims Ticketmaster was aware of the breach as early as April.

Ticketmaster did not immediately respond to a request for comment.