Ticketmaster Fined $10M for Hacking Competitor

John Lister's picture

Ticketmaster will pay a $10 million fine for computer fraud and hacking. The company admitted responsibility for hacking an unnamed rival with the help of an employee who had previously worked there.

The $10 million figure is calculated as the maximum $500,000 penalty for each of 20 cases of breaking the law through "unauthorized access of a protected computer." The fine is through a "deferred prosecution agreement" in which prosecutors hold off pursuing the case through the courts.

As part of the agreement, Ticketmaster admitted breaking the law and must cooperate with prosecutors investigating any other alleged wrongdoing. The agreement specifically bars Ticketmaster from denying it broke the law, for example by implying it only made the agreement to avoid the risk of a larger penalty.

It must also set up an internal ethics program to prevent staff from carrying out similar breaches in the future. (Source: arstechnica.com)

Former Staffer's Login Still Worked

The breaches involved two different types of "hacks" made possible by information from a former employee of the rival, who was later promoted to the post of director of client relations at Ticketmaster.

The first hack involved the former employee using login credentials from their former workplace to access accounts for presales of tickets. The former employee accessed the rival company's account in front of at least 14 employees of Ticketmaster and its parent company. (Source: justice.gov)

'Hidden' Event Pages Exploited

The second hack involved the former employee sharing the fact that the rival company used a sequential numbering system to create pages for events before they were intended for public view and tickets put on sale. The pages were online but only accessible by directly typing in the specific URL rather than following any links of finding them in a search engine.

Ticketmaster assigned a staff member to take advantage of this to hunt down such pages, thus finding out about events the rival company would be handling tickets for. Ticketmaster then contacted the events organizers to try to win their business.

What's Your Opinion?

Is the fine appropriate? Does it make any difference that the rival company had some security weaknesses? Should any of the individuals involved face personal prosecution?

Rate this article: 
Average: 5 (4 votes)

Comments

Dennis Faas's picture

The systems administrator at the rival company should be reprimanded for allowing continued access to the company's systems even after the former employee was let go. Removing access is pretty standard procedure once an employee has been let go to avoid shenanigans such as this.

Lipl1_2237's picture

Definite security failure on the part of the other company. If everything was done starting with HR then it would've been HR's job to notify all department to disable the account.

Navy vet's picture

People need to go to jail for this stuff or it will continue.