https://arstechnica.com/information-technology/2021/01/ticketmaster-pays-10-million-criminal-fine-for-hacking-a-rival-company/ Skip to main content * Biz & IT * Tech * Science * Policy * Cars * Gaming & Culture * Store * Forums Subscribe [ ] Close Navigate * Store * Subscribe * Videos * Features * Reviews * RSS Feeds * Mobile Site * About Ars * Staff Directory * Contact Us * Advertise with Ars * Reprints Filter by topic * Biz & IT * Tech * Science * Policy * Cars * Gaming & Culture * Store * Forums Settings Front page layout Grid List Site theme Black on white White on black Sign in Comment activity Sign up or login to join the discussions! [ ] [ ] [Submit] [ ] Stay logged in | Having trouble? Sign up to comment and more Sign up BUSTED -- Ticketmaster admits it hacked rival company before it went out of business Ticketmaster used stolen passwords and URL guessing to access confidential data. Dan Goodin - Jan 4, 2021 6:57 pm UTC Image of ones and zeros with the word Pixy reader comments 142 with 119 posters participating Share this story * Share on Facebook * Share on Twitter * Share on Reddit Ticketmaster has agreed to pay a $10 million criminal fine after admitting its employees repeatedly used stolen passwords and other means to hack a rival ticket sales company. The fine, which is part of a deferred prosecution agreement Ticketmaster entered with federal prosecutors, resolves criminal charges filed last week in federal court in the eastern district of New York. Charges include violations of the Computer Fraud and Abuse Act, computer intrusion for commercial advantage or private financial gain, computer intrusion in furtherance of fraud, conspiracy to commit wire fraud, and wire fraud. In the settlement, Ticketmaster admitted that an employee who used to work for a rival company emailed the login credentials for multiple accounts the rival used to manage presale ticket sales. At a San Francisco meeting attended by at least 14 employees of Ticketmaster or its parent company Live Nation, the employee used one set of credentials to log in to an account to demonstrate how it worked. A hack, then a promotion The employee, who wasn't identified in court documents, later provided Ticketmaster executives with internal and confidential financial documents he had retained from his previous employer. The employee was later promoted to director of client relations and given a raise. Court documents didn't identify the rival company, but Variety reported it was Songkick, which in 2017 filed a lawsuit accusing Ticketmaster of hacking its database. A few months later, Songkick went out of business. The charges against Ticketmaster come 26 months after Zeeshan Zaidi, the former head of Ticketmaster's artist services division, pled guilty in a related case to conspiring to hack the rival company and engage in wired fraud. According to prosecutors, the former rival employee emailed the login credentials to Zaidi and another Ticketmaster employee. Advertisement "When employees walk out of one company and into another, it's illegal for them to take proprietary information with them," FBI Assistant Director William Sweeney Jr. said in a statement. "Ticketmaster used stolen information to gain an advantage over its competition, and then promoted the employees who broke the law." Besides providing login credentials, the former employee also showed Ticketmaster managers how to exploit a flaw in the URL generation scheme the rival used for unpublished ticketing webpages. To prevent the pages from being accessed by outsiders before they were made public, each one had a unique numerical value. The former employee told his new employer that the values were generated sequentially, and outsiders could use this information to view artist pages while they were still in early draft stages. In early 2015, Ticketmaster assigned one of its employees to learn about this system and use it to maintain a spreadsheet listing every ticketing webpage that could be located. Ticketmaster would then identify the rival company's clients and "attempt to dissuade them from selling tickets through the victim company," federal prosecutors said. Zaidi, the prosecutors further said, explained that "we're not supposed to tip anyone off that we have this view into [the victim company's] activities." Besides paying the $10 million fine, Ticketmaster has also agreed to maintain a compliance and ethics program designed to prevent and detect future hacking and unlawful acquisitions of competitors' confidential information. Live Nation representatives didn't respond to a message seeking comment for this post. Update: More than 24 hours after this post went live, a Ticketmaster representative finally responded to the request for comment. It reads: "Ticketmaster terminated both Zaidi and Mead in 2017, after their conduct came to light. Their actions violated our corporate policies and were inconsistent with our values. We are pleased that this matter is now resolved." reader comments 142 with 119 posters participating Share this story * Share on Facebook * Share on Twitter * Share on Reddit Dan Goodin Dan is the Security Editor at Ars Technica, which he joined in 2012 after working for The Register, the Associated Press, Bloomberg News, and other publications. Email dan.goodin@arstechnica.com // Twitter @dangoodin001 Advertisement You must login or create an account to comment. Channel Ars Technica - Previous story Next story - Related Stories Sponsored Stories Powered by Today on Ars * Store * Subscribe * About Us * RSS Feeds * View Mobile Site * Contact Us * Staff * Advertise with us * Reprints Newsletter Signup Join the Ars Orbital Transmission mailing list to get weekly updates delivered to your inbox. Sign me up - CNMN Collection WIRED Media Group (c) 2021 Conde Nast. All rights reserved. Use of and/or registration on any portion of this site constitutes acceptance of our User Agreement (updated 1/1/20) and Privacy Policy and Cookie Statement (updated 1/1 /20) and Ars Technica Addendum (effective 8/21/2018). Ars may earn compensation on sales from links on this site. Read our affiliate link policy. Your California Privacy Rights | Do Not Sell My Personal Information The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of Conde Nast. Ad Choices