Ticketmaster admits it hacked rival company before it went out of business

Image of ones and zeros with the word

Ticketmaster has agreed to pay a $10 million criminal fine after admitting its employees repeatedly used stolen passwords and other means to hack a rival ticket sales company.

The fine, which is part of a deferred prosecution agreement Ticketmaster entered with federal prosecutors, resolves criminal charges filed last week in federal court in the eastern district of New York. Charges include violations of the Computer Fraud and Abuse Act, computer intrusion for commercial advantage or private financial gain, computer intrusion in furtherance of fraud, conspiracy to commit wire fraud, and wire fraud.

In the settlement, Ticketmaster admitted that an employee who used to work for a rival company emailed the login credentials for multiple accounts the rival used to manage presale ticket sales. At a San Francisco meeting attended by at least 14 employees of Ticketmaster or its parent company Live Nation, the employee used one set of credentials to log in to an account to demonstrate how it worked.

A hack, then a promotion

The employee, who wasn’t identified in court documents, later provided Ticketmaster executives with internal and confidential financial documents he had retained from his previous employer. The employee was later promoted to director of client relations and given a raise. Court documents didn’t identify the rival company, but Variety reported it was Songkick, which in 2017 filed a lawsuit accusing Ticketmaster of hacking its database. A few months later, Songkick went out of business.

The charges against Ticketmaster come 26 months after Zeeshan Zaidi, the former head of Ticketmaster’s artist services division, pled guilty in a related case to conspiring to hack the rival company and engage in wired fraud. According to prosecutors, the former rival employee emailed the login credentials to Zaidi and another Ticketmaster employee.

“When employees walk out of one company and into another, it’s illegal for them to take proprietary information with them,” FBI Assistant Director William Sweeney Jr. said in a statement. “Ticketmaster used stolen information to gain an advantage over its competition, and then promoted the employees who broke the law.”

Besides providing login credentials, the former employee also showed Ticketmaster managers how to exploit a flaw in the URL generation scheme the rival used for unpublished ticketing webpages. To prevent the pages from being accessed by outsiders before they were made public, each one had a unique numerical value. The former employee told his new employer that the values were generated sequentially, and outsiders could use this information to view artist pages while they were still in early draft stages.

In early 2015, Ticketmaster assigned one of its employees to learn about this system and use it to maintain a spreadsheet listing every ticketing webpage that could be located. Ticketmaster would then identify the rival company’s clients and “attempt to dissuade them from selling tickets through the victim company,” federal prosecutors said. Zaidi, the prosecutors further said, explained that “we’re not supposed to tip anyone off that we have this view into [the victim company’s] activities.”

Besides paying the $10 million fine, Ticketmaster has also agreed to maintain a compliance and ethics program designed to prevent and detect future hacking and unlawful acquisitions of competitors’ confidential information. Live Nation representatives didn’t respond to a message seeking comment for this post.

Update: More than 24 hours after this post went live, a Ticketmaster representative finally responded to the request for comment. It reads: “Ticketmaster terminated both Zaidi and Mead in 2017, after their conduct came to light. Their actions violated our corporate policies and were inconsistent with our values. We are pleased that this matter is now resolved.”