The personal and credit card data of more than half a billion Ticketmaster users has reportedly been cracked as part of a cyber incident being investigated this week. Australian authorities are reportedly working with Live Nation and Ticketmaster on the incident, but limited details have been released as of Wednesday morning.

Australia’s Department of Home Affairs told ABC it is “working with Ticketmaster to understand the incident,” according to that news outlet. No statement has yet been released by Ticketmaster or its parent on the matter.

“Hacker” group ShinyHunters has claimed it has cracked the Ticketmaster system and accessed some 1.3 terabytes of data, which includes names, addresses, credit card numbers, phone numbers, and payment details. The information is said to be up for sale on the dark web, with an asking price of $500,000.

TFL and ATBS for ticketing professionals

Early reports indicate that the user data involves 560 million customers globally, though it is unclear what markets are impacted (or what percentage of consumers impacted are from what markets). Obviously, the risk for any impacted consumer is very high, given the highly sensitive data that appears to be involved.

“This could mean the potential risk of identity fraud and we would assume this data would be used for phishing or impersonation attacks down the track,” says cybersecurity expert Mark Lukie in the ABC report. “Users need to be very vigilant about their email and who they’re responding to and not giving out any information to people trying to trick them.”

According to one report, the hacker group says it contacted Ticketmaster regarding the data hack, but the company never responded before it went public with the information.

This is not the first time that Ticketmaster has been victimized by a data breach, having seen the personal and payment details of nearly 10 million users accessed in 2018. That led to a £1.25 million fine for the company. Ticketfly, a subsidiary of Eventbrite that was subsequently shut down, suffered a data breach impacting an estimated 27 million users six years ago. See Tickets has also seen a data breach, impacting 300,000 users.

Ticketmaster and other ticketing systems have made themselves a very prominent target for such attacks because event organizers have increasingly relied on massive data-harvesting technology as a part of their operations, requiring the use of their mobile app to access tickets sold for most events. These systems enable ticketing companies to access enormous amounts of user data. This data forms one of the key pillars of Ticketmaster’s sales pitch to event operators, as it can be shared freely with those event operators, as well as sold on to third parties without further user consent.

FURTHER READING | ASM Global, Ticketmaster Extend Deal on Strength of Data Harvesting

When asked in public testimony what data the company could access from users on these systems, a then-executive testified that the company went no further than “name, phone number, email address,” in its data grab. But its own terms and conditions and privacy policy show a far wider spectrum of what they can take from users through these apps.

Should the hacker claims prove out, the breach would be among the largest ever reported.

Live Nation and Ticketmaster have already been having a rocky week, facing a massive antitrust lawsuit filed by the Department of Justice and 30 state and district attorneys general Thursday in New York.

DOJ, 29 States File Lawsuit Seeking Live Nation/Ticketmaster Breakup
States Suing LN/TM Represent 80% of U.S. Population
OVG Colluded, Rather Than Competed Against, Live Nation Under Azoff
What They’re Saying – State AGs on Why They’re Suing Live Nation