Is there a correct way to respond to a hack?
ShinyHunters, a criminal hacking group, has claimed responsibility for allegedly stealing the personal details of 560 million Ticketmaster customers. The group claims to have stolen data including names, addresses, phone numbers and partial credit card details from Ticketmaster users across the world. ShinyHunters is reportedly demanding a £400,000 ransom payment.
In a filing to the US Securities and Exchange Commission on 27 May 2024, Live Nation Entertainment Inc, the parent company of Ticketmaster, said it identified the unauthorised activity on 20 May 2024 at which point it began investigations. Live Nation also said that "a criminal threat actor offered what it alleged to be Company user data for sale via the dark web". The report also claimed Live Nation had been notifying users about the breach and potential access to their personal information and were working to “mitigate risk”. Ticketmaster notified shareholders of the breach late on 31 May 2024. Live Nation did not mention ShinyHunters when making its filing. It has been suggested this breach could be one of the largest scale hacks ever undertaken.
This hack is thought to be part of a bigger operation by ShinyHunters, who were reportedly behind the data breach of Santander bank in May. In this event, the group claimed it had breached the data of 30 million Santander customers, gaining access to 6 million account numbers and balances, 28 million credit card numbers as well as the details of Santander HR staff. In this instance, ShinyHunters asked for £1.2 million in ransom.
Ticketmaster is one of the largest online ticket sales platforms in the world. In the same week as the hack, Ticketmaster’s parent company, Live Nation, was issued with a civil antitrust lawsuit from the US Justice Department, along with 30 state and district attorney generals. The lawsuit was filed against Live Nation for monopolisation of the market across the live entertainment industry, and other unlawful conduct.
In response to the breach, Ticketmaster, in a letter to be sent to customers in Maine, has stated it will offer affected customers twelve months of free identity monitoring services through TransUnion, which will “look out for your personal data on the dark web”.
Ticketmaster has also reportedly sent emails to Canadian customers, urging them to “be vigilant and take steps to protect against identity theft and fraud," as well as monitoring their online accounts and bank account statements. Ticketmaster is also advising and paying for its Canadian customers to sign up to identity monitoring services. Regarding the service, Ticketmaster has said, “identity monitoring will look out for your personal data on the dark web and provide you with alerts for one year from the date of enrolment if your personally identifiable information is found online”.
This is in contrast to Live Nation’s first response, upon filing at the SEC, where the company stated it did not believe the incident to be “reasonably likely to have a material impact on our overall business operations or on our financial conditions or results of operations”.
A class action lawsuit has also been filed by a law firm in California for Ticketmaster customers, criticising Live Nation’s failure to disclose the breach upon discovery and failing to “properly secure and safeguard” its customers’ personally identifiable information (PII) through “adequate and reasonable cybersecurity procedures and protocols”.
The response to the hack by Live Nation is leading people to question the correct way to respond to a hack, with many, including customers, believing that they should be informed immediately if their personal information has been compromised. However, experts have stated that this kind of information cannot be rushed. Companies understand the need for transparency with their customers, however, forensic information on who has been impacted and the extent of a breach needs to be verified before customers are notified.
Hamlins’ Media Disputes department is one of the largest and most successful Media Disputes teams in the UK and is widely recognised as an advisor of choice for both public and private figures seeking advice in relation to defamation, reputation management, pre-publication libel and privacy law. The Media Disputes team is widely experienced in group litigation. The team currently acts as the Lead Solicitor in the ongoing group litigation, the Mobile Telephone Voicemail Interception Litigation, brought against News Group Newspapers Ltd.
If you would like to find out more about how Hamlins can help you, please get in touch.