Ticketmaster says customers' credit card information affected by data breach

Ticketmaster is notifying customers about a "data security incident" that may have leaked their personal information.

The ticket-selling company wrote in an email to customers Monday that it recently discovered an "unauthorized third party" obtained information from a cloud database hosted by a third-party company between April 2 and May 18.

The information "may have included your name, basic contact information, and payment card information such as encrypted credit or debit card numbers and expiration dates," the email read.

The email says Ticketmaster is investigating and co-operating with U.S. federal law enforcement authorities.

"We are fully committed to protecting your information, and deeply regret that this incident occurred," it said.

According to the email, Ticketmaster determined on May 23 that personal information might have been affected.

The notice was connected to a previously reported breach, a Ticketmaster spokesperson told CBC on Tuesday, when the company's owner Live Nation said in a May 31 filing with the U.S. Securities and Exchange Commission that it found "unauthorized activity" in a third-party cloud database that mainly contained Ticketmaster data.

Live Nation Entertainment and Ticketmaster logos are seen in this illustration taken May 23, 2024. REUTERS/Dado Ruvic/Illustration
Ticketmaster's owner Live Nation recently reported a similar data breach to U.S. authorities. (Dado Ruvic/Illustration/Reuters)

Held for ransom

News of the breach came after a hacking group called ShinyHunters claimed it had stolen user data of more than 500 million Ticketmaster customers and demanded a ransom of $500,000 US ($680,000 Cdn), according to media reports.

Ticketmaster says it first identified the breach on May 20.

Three days later, it identified that personal information may have been affected by the breach, which was the subject of Monday's email.

CBC has asked Ticketmaster why it did not notify customers sooner.

Evan Light, associate professor of communications at York University and an expert in privacy and surveillance technology, says it's surprising that people's credit card numbers were released.

"If people get emails from Ticketmaster saying that they're among these accounts, I'd say cancel your credit card right away."

Light suggests checking the website Have I Been Pwned, which scours databases in hacker forums, to see if your email address is included in those data sets.

He says it's also a good idea to enable two- or multi-factor authentication on credit cards, and to refrain from storing credit card information with a company you are buying from, even though it seems convenient.

Light says most large companies outsource customers' personal information, and "you can only police people who you contract out so rigorously," which can become a problem for a company of Live Nation's size.

"The fact that they're such a giant monopoly means that there's nobody to keep them in check."