Member Article

What’s worse than wanting to go to a concert for your favorite music artist and spending one-third of the ticket price in “convenience fees”? Apparently, getting hacked and losing roughly 560 million individual’s personal data—which is exactly what happened to Ticketmaster on May 20, 2024.

According to an SEC filing by Ticketmaster’s parent company, Live Nation Entertainment, Ticketmaster identified “unauthorized activity within a third-party cloud based environment containing company data and launched an investigation with industry-leading forensic investigators to understand what happened.”

On May 27, 2024, a “criminal threat actor” offered alleged Ticketmaster-user data for sale on the dark web for a price of $500,000. A hacking group called “ShinyHunters” has since come forward and claimed responsibility for stealing the personal data of hundreds of millions of customers from Live Nation and Ticketmaster. ShinyHunters posted the 1.3-terabyte trove of data for sale, which allegedly contains personal information on Ticketmaster users such as names, credit card numbers, emails, home addresses and phone numbers.

Live Nation indicated in its SEC filing that it has been working to “mitigate risk” to its customers and that it is proactively taking steps to notify users about the data breach, further stating that “[a]s of the date of this filing, the incident has not had, and we do not believe it is reasonably likely to have, a material impact on our overall business operations or on our financial conditions or results of operations. We continue to evaluate the risks and our remediation efforts are ongoing.”

The timing of the data breach could not be more of a PR nightmare for Ticketmaster and Live Nation. On May 23,  the U.S. Justice Department sued the entities on antitrust grounds seeking to break up the companies on the basis that Ticketmaster and Live Nation have illegally been using monopoly power to dominate the ticketing business and quash the competition—a sentiment shared by musicians, artists, concertgoers and fans alike. Now, as a result of the data breach, lawsuits are beginning to be filed in federal court against Live Nation and Ticketmaster alleging negligence, emotional distress and potential future damages due to the leak of private personal information.

The Ticketmaster data breach is one of the largest in recent history and serves as a cautionary tale in making sure every company, business and entity is following best practices when it comes to cybersecurity, data protection and third-party vendor management and data privacy It should serve as a reminder to companies to enlist the help of experienced legal counsel who can help craft comprehensive data-privacy-compliance packages that include, but are not limited to, addressing and constructing uniquely tailored incident response plans, data protection policies, acceptable data use policies, AI use policies, data retention policies, data mapping tools, website privacy policies and website terms and conditions of use. Dinsmore’s cybersecurity teams help clients to be proactive in building safeguards and protective measures to ensure compliance with the GDPR, state-level data privacy and protection laws and to get ahead of the game in light of the forthcoming American Privacy Rights Act—a piece of legislation that promises to overhaul the way businesses handle personal data within the United States.

In an ever-changing legal environment and regulatory landscape, the one thing that is guaranteed is an increased emphasis on prioritizing cybersecurity needs. While the true damage caused by the Ticketmaster data breach remains to be seen, securing your ticket now and addressing your organization’s cybersecurity needs is the best way to ensure your way into the show, staying one step ahead of threat actors and data breaches.