Ticketmaster parent company Live Nation has confirmed that internal data was exposed in a cyber-attack identified last month, with threat actors apparently targeting a third-party cloud environment.
The ticketing giant said in an SEC filing that the majority of the compromised data came from its Ticketmaster subsidiary, which chimes with earlier reports that as many as 560 million of the company’s customers may have been impacted.
“On May 20, 2024, Live Nation Entertainment identified unauthorized activity within a third-party cloud database environment containing company data … and launched an investigation with industry-leading forensic investigators to understand what happened,” the 8-K filing noted.
“On May 27, 2024, a criminal threat actor offered what it alleged to be company user data for sale via the dark web. We are working to mitigate risk to our users and the company, and have notified and are cooperating with law enforcement. As appropriate, we are also notifying regulatory authorities and users with respect to unauthorized access to personal information.”
That “criminal threat actor” is known as ShinyHunters. According to screenshots of the dark web ad, they are selling 1.3TB of stolen customer data, including names, addresses, emails and phone numbers, the last four digits of card numbers and expiry dates, ticketing order details and much more. The trove is on offer as a “one-time sale” for $500,000.
New Breach from ShinyHunters. Selling the database of @LiveNation / @Ticketmaster for $500k. Over 1.3TB of data consisting of 560 million customers full details (name, address, email, phone), order details, cc detail - customer, last 4, exp date. @DarkWebInformer @troyhunt pic.twitter.com/oTBUI9NkVc
— James H (@milkshakesbot) May 28, 2024
Read more on data breaches: US Smashes Annual Data Breach Record With Three Months Left
Live Nation confirmed to various outlets that cloud storage firm Snowflake is the third party whose environment was targeted in the breach. A similar incident at Spanish bank Santander originated from the same source, it has been claimed.
In a since-removed blog post, security researchers at Hudson Rock reported that the threat actor targeted a Snowflake employee’s ServiceNow account with stolen credentials, enabling them to subsequently access the Ticketmaster database.
However, a post from Snowflake on Sunday explained that an increase in threat activity “targeting some of our customers’ accounts” is down to “ongoing industry-wide, identity-based attacks” designed to exfiltrate customer data.
“Research indicates that these types of attacks are performed with our customers’ user credentials that were exposed through unrelated cyber-threat activity,” the post continued. “To date, we do not believe this activity is caused by any vulnerability, misconfiguration or malicious activity within the Snowflake product.”
Interestingly, despite the purportedly large number of customers affected by the incident, Live Nation played down its operational and financial impact on the firm.
“As of the date of this filing, the incident has not had, and we do not believe it is reasonably likely to have, a material impact on our overall business operations or on our financial condition or results of operations,” its SEC filing concluded. “We continue to evaluate the risks and our remediation efforts are ongoing.”