Canadian Government Opens Investigation of Ticketmaster Breach

The Privacy Commissioner of Canada announced it has launched a formal investigation of Ticketmaster following the massive data breach that took place this spring. The U.S. based company operates extensively in Canada, and accordingly holds massive amounts of data from Canadian consumers.

It is unclear how many consumers north of the border were impacted in the incident, though it is likely to be significant. The total number of accounts impacted in the breach is believed to be in the hundreds of millions worldwide.

“Data breaches have surged over the last decade, and we have seen a significant increase in the scale and complexity of these incidents,” says Privacy Commissioner of Canada Philippe Dufresne in a statement released Wednesday.

“Ticketmaster holds the personal information of millions of Canadians. The investigation will allow us to understand why this cyber incident happened and what must be done to address this situation and prevent it from happening again.”

Live Nation Entertainment became aware of a breach involving customer data accessed via a third-party data provider in May, according to a Securities and Exchange Commission filing by the corporation. Despite its awareness of the personal and hashed payment card information of millions being accessed, the company did not make any public statements or filings on the matter until after news broke that hackers had offered the data for sale on the dark web.

The “hacker” group ShinyHunters said it cracked the Ticketmaster system and accessed some 1.3 terabytes of data, which includes names, addresses, credit card numbers, phone numbers, and payment details, involving 560 million customers globally.

Further Reading
| Live Nation Entertainment confirms data breach in SEC filing |
| Ticketmaster Hack: Data of half a billion users up for ransom |

This is not the first time that Ticketmaster has been victimized by a data breach, having seen the personal and payment details of nearly 10 million users accessed in 2018. That led to a £1.25 million fine for the company. Ticketfly, a subsidiary of Eventbrite that was subsequently shut down, suffered a data breach impacting an estimated 27 million users six years ago. See Tickets has also seen a data breach, impacting 300,000 users.

Ticketmaster and other ticketing systems have made themselves a very prominent target for such attacks because event organizers have increasingly relied on massive data-harvesting technology as a part of their operations, requiring the use of their mobile app to access tickets sold for most events. These systems enable ticketing companies to access enormous amounts of user data. This data forms one of the key pillars of Ticketmaster’s sales pitch to event operators, as it can be shared freely with those event operators, as well as sold on to third parties without further user consent.

FURTHER READING | ASM Global, Ticketmaster Extend Deal on Strength of Data Harvesting

The release announcing the Canadian investigation did not indicate any timeline nor potential penalties faced by the company should it be found at fault for the breach.