On May 28, 2024, media outlets reported that Live Nation Entertainment and its subsidiary Ticketmaster suffered a significant data breach impacting over 560 million users.
Here’s everything you need to know.
A timeline of the Ticketmaster data breach
This breach first came to light after an infamous hacking group, ShinyHunters, put 1.3 terabytes of stolen data up for sale on the cybercrime forum, Breach Forums, priced at $500,000.
The data included:
- Full names
- Addresses
- Email addresses
- Phone numbers
- Ticket sales and event details
- Order information
- Partial payment card data:
- Customer names
- Last four digits of card numbers
- Expiration dates
- Customer fraud details
Once the media caught wind of the post, the breach hit the headlines.
The next day, Live Nation confirmed the data breach in a SEC (U.S. Securities and Exchange Commission) filing. They claimed to have discovered the breach almost a week prior. Here’s what the notification said:
“On May 20, 2024, Live Nation Entertainment, Inc. (the “Company” or “we”) identified unauthorized activity within a third-party cloud database environment containing Company data (primarily from its Ticketmaster L.L.C. subsidiary) and launched an investigation with industry-leading forensic investigators to understand what happened.”
“On May 27, 2024, a criminal threat actor offered what it alleged to be Company user data for sale via the dark web. We are working to mitigate risk to our users and the Company, and have notified and are cooperating with law enforcement. As appropriate, we are also notifying regulatory authorities and users with respect to unauthorized access to personal information.“
How did the TicketMaster breach happen?
A Ticketmaster spokesperson has since confirmed the identity of the third party cloud provider as Snowflake, a cloud-based data storage and analytics service.
In a breach notification post on their own website, Snowflake indicated the incident was the result of a cloud account hijacking attack, where stolen credentials are used to access sensitive data.
“Snowflake recently observed and is investigating an increase in cyber threat activity targeting some of our customers’ accounts. We believe this is the result of ongoing industry-wide, identity-based attacks with the intent to obtain customer data.”
More worryingly still, it seems Ticketmaster isn’t the only company ShinyHunter targeted in this supply chain attack. On May 30th, the hacking group also put Santander customer and staff data up for sale on the dark web. It’s thought this data also came from the Snowflake breach.
The stolen Santander data includes personally identifiable information relating to 30 million customers and employees, as well as 28 million credit card numbers. It is up for sale for $2 million.
Lessons learned
Both of these incidents underscore the cybersecurity risks posed by third-party cloud providers. For detailed guidance on bolstering supplier security, read our guidance on preventing third party data breaches.