Live Nation Breach: Customer Data Exposed

For many of us, Ticketmaster owned by publicly traded Live Nation is where we purchase tickets to our favorite live entertainment events (Concerts, Sports, Theater, and more).

For cyber criminals, it provides a treasure chest of data to be stolen and auctioned off to the highest bidder. Based on Live Nation’s SEC filing on Friday, May 31st and online information, it appears this is exactly what happened.

The cybersecurity industry is experiencing an increasing number of circumstances where word first spreads online that a company has been breached before it publicly says anything about it. Sometimes the claims are politically motivated or just notorious fearmongering.

Here we see the same pattern. On May 28, according to hackread.com, the group ShinyHunters listed 1.3 terabytes' worth of Live Nation-owned Ticketmaster customer data for a one-time price of $500,000 on its cybercrime-linked platform Breach Forums. Live Nation made its disclosure three days later on 5/31, saying little but that a probe is underway, under “Other Events” in its SEC filing.

“On May 20, 2024, Live Nation Entertainment, Inc. (the “Company” or “we”) identified unauthorized activity within a third-party cloud database environment containing Company data (primarily from its Ticketmaster L.L.C. subsidiary) and launched an investigation with industry-leading forensic investigators to understand what happened.

“On May 27, 2024, a criminal threat actor offered what it alleged to be Company user data for sale via the dark web. We are working to mitigate risk to our users and the Company and have notified and are cooperating with law enforcement.  As appropriate, we are also notifying regulatory authorities and users with respect to unauthorized access to personal information."

The SEC Materiality clause requires that a company investigate the impact of an attack for material impact on its business operation or its financial condition.  Live Nation published the following materiality statement:

“As of the date of this filing [5/31], the incident has not had, and we do not believe it is reasonably likely to have, a material impact on our overall business operations or on our financial condition or results of operations. We continue to evaluate the risks and our remediation efforts are ongoing.”

As expected, Live Nation’s SEC filing is not specific and allows for all possible outcomes. And realistically, can an organization truly define the impact of a breach within 11 days, especially when it involves one of its third parties? Probably not, particularly when it has not disclosed the identity of the third party, rumors abound. Online cybersecurity groups tend to be the arbiters of these public company disclosures.

Most certainly, there is a delicate balance between a public company's need for information control during a cybersecurity investigation and the transparency necessary for the industry to be informed. No doubt effective public communication from Live Nation will be needed to allay customer concerns regarding the breach's impact and measures put in place to prevent it from happening again.