Ticketmaster has agreed to pay a $10 million fine after being charged with illegally accessing computer systems of a competitor repeatedly between 2013 and 2015 in an attempt to "cut [the company] off at the knees."
A subsidiary of Live Nation, the California-based ticket sales and distribution company used the stolen information to gain an advantage over CrowdSurge — which merged with Songkick in 2015 and later acquired by Warner Music Group (WMG) in 2017 — by hiring a former employee to break into its tools and gain insight into the firm's operations.
"Ticketmaster employees repeatedly – and illegally – accessed a competitor's computers without authorization using stolen passwords to unlawfully collect business intelligence," said Acting U.S. Attorney Seth DuCharme.
"Further, Ticketmaster's employees brazenly held a division-wide 'summit' at which the stolen passwords were used to access the victim company's computers, as if that were an appropriate business tactic."
The allegations were first reported in 2017 after CrowdSurge sued Live Nation for antitrust violations, accusing Ticketmaster of accessing confidential business plans, contracts, client lists, and credentials of CrowdSurge tools.
According to court documents released on December 30, after being hired by Live Nation in 2013, Stephen Mead, who was CrowdSurge's general manager of U.S. operations, shared with Zeeshan Zaidi, the former head of Ticketmaster's artist services division, and another Ticketmaster employee the passwords to Artist Toolbox, an app that provided real-time data about tickets sold through the victim company.
Besides password theft, Mead is also accused of providing "internal and confidential financial documents" retained from his former employer, as well as URLs for draft ticketing web pages so as to learn which artists planned to use CrowdSurge to sell tickets and "dissuade" them from doing so.
On October 18, 2019, Zaidi pled guilty in a related case to conspiring to commit computer intrusions and wire fraud for his participation in the scheme, stating, "we're not supposed to tip anyone off that we have this view into [the victim company's] activities."
Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!Join the Session
An unnamed Ticketmaster executive said in an internal email the goal was to "choke off" and "steal" its signature clients by winning back the presale ticketing business for a second major artist that was a client of CrowdSurge.
Both Mead and Zaidi are no longer employed by Ticketmaster.
"Ticketmaster terminated both Zaidi and Mead in 2017, after their conduct came to light. Their actions violated our corporate policies and were inconsistent with our values. We are pleased that this matter is now resolved," a company spokesperson told The Hacker News.
Ticketmaster previously settled a lawsuit brought by Songkick in 2018 by agreeing to pay the company's owners $110 million and acquire its remaining intellectual property not sold to WMG for an undisclosed amount.
Besides paying the $10 million penalties, Ticketmaster is expected to maintain a compliance and ethics program to detect and prevent such unauthorized acquisition of confidential information belonging to its rivals.
The company will also be required to make an annual report to the U.S. Attorney's Office over the next three years to ensure compliance.