Ticketmaster says it discovered unauthorized activity on a cloud database hosted by a third-party data services provider between April 2 and May 18.Paul Sakuma/The Associated Press
Ticketmaster users across North America are being notified that their personal information may have been compromised in a security breach that happened months ago, triggering backlash from customers angered by the company’s response.
The California-based ticket sales giant said it discovered unauthorized activity on a cloud database hosted by a third-party data services provider between April 2 and May 18. On May 23, the company said it learned that some personal information of customers may have been obtained, such as names, e-mail addresses, phone numbers, or encrypted credit-card information.
“We know how important your personal information is and we take its protection very seriously,” the company wrote on its website.
The company has sent e-mails to potentially affected customers this week, warning that their personal information may have been intercepted. It’s also sending letters in the mail.
Many customers have taken to social media to express their frustration with the company, which extends beyond privacy and into other issues such as steep fees. Ticketmaster and its parent company, Live Nation Entertainment, were recently sued by the U.S. Justice Department for allegedly having an illegal monopoly over live events.
Ticketmaster user Rachel Talalay said in an e-mail that she would be asking her bank for advice on cancelling her credit card and wasn’t happy about the wording of the e-mail she received from the company after the breach.
“It’s insult to injury to tell me to ‘be vigilant’ after they had a massive breach,” she said in an e-mail.
Jim Meaney said he was surprised to receive an e-mail from Ticketmaster on Tuesday because it had been at least a year since he used it.
“I haven’t bought tickets from Ticketmaster in quite a while, so the data must be fairly old,” he said.
Ticketmaster did not answer questions e-mailed to it by The Globe and Mail, but responded with a link to its website.
Were you hacked? Cybersecurity experts share tips for protecting personal data
Ross Saunders, a director at Toronto-based Bamboo Data Consulting and digital privacy expert, said he wants to know why Ticketmaster waited so long to alert those affected by the breach after discovering it. He said those whose data may have been compromised should be on the lookout for signs of credit card fraud or identity theft.
“You may want to cancel your cards and get new credit cards issued if that information happens to be decrypted down the line,” he said.
In its e-mail to affected users, Ticketmaster said they could register for a 12-month free identity monitoring service would be available through TransUnion of Canada Inc.
“Identity monitoring will look out for your personal data on the dark web and provide you with alerts for one year from the date of enrollment if your personally identifiable information is found online,” the company wrote in its e-mail to users.
Mr. Meaney said he has registered for similar monitoring services in the past as the victim of a different privacy breach and intends to take advantage of Ticketmaster’s offer.
But Mr. Saunders said while Ticketmaster’s offer is a nice gesture, its timeline won’t outlast the risk affected customers could face.
“I’ve been a victim of identity theft, and it happened about two years after the information got out there. So, there’s probably a good likelihood that it would happen within the first while, but the risk with privacy and personal information being out there is it could be used at a later stage,” he said.
Ultimately, Mr. Saunders said people can take steps to protect themselves such as not saving their credit card information online, but the duty to protect customers rests largely on the company itself.
“There’s not much a customer can do when the connection is behind the scenes, and that’s what’s getting exploited. So, it’s very vital that the companies that handle personal information are also looking after it correctly,” he said.
On its website, Ticketmaster said it’s working with law enforcement, credit card companies and banks to investigate the incident, and has found no further unauthorized activity. Additionally, it said it’s taking steps to enhance its security, such as rotating passwords for potentially affected accounts, reviewing access permissions and increasing alerting mechanisms.
Mr. Meaney said he has no plans to stop using Ticketmaster, or other online services that ask for his personal information because in many cases, he simply has no other choice.
“I know I need to be careful, but I’m not going to change the way I live because of it,” he said.