Live Nation SEC filing confirms “unauthorized activity” in wake of alleged Ticketmaster hack

Following a cybercrime group’s claims that it stole data from 560 million Ticketmaster customers, the ticket sales and distribution firm’s parent company told the US Securities and Exchange Commission (SEC) on Friday that it had identified unauthorized activity with a cloud partner.

“On May 20, 2024, Live Nation Entertainment identified unauthorized activity within a third-party cloud database environment containing company data — primarily from its Ticketmaster LLC subsidiary — and launched an investigation with industry-leading forensic investigators to understand what happened,” the SEC filing said. 

The filing did not address the number of customer accounts impacted, but it did seemingly reference the Cybercrime group ShinyHunters’ claims.

“On May 27, 2024, a criminal threat actor offered what it alleged to be company user data for sale via the dark web,” the filing said. “We are working to mitigate risk to our users and the company and have notified and are cooperating with law enforcement. As appropriate, we are also notifying regulatory authorities and users with respect to unauthorized access to personal information.”

LiveNation, which is facing antitrust lawsuits after the US and state governments sued the company, demanding its breakup over concerns it has illegally inflated ticket prices, said it does not believe the breach will have a material impact on its business or financial condition. “We continue to evaluate the risks and our remediation efforts are ongoing.”

Cloud partner that experienced breach not identified

The company did not identify the cloud partner referenced, but one of its cloud partners — Snowflake — issued its own statement June 2 referring to “cyber threat activity.” Various media reports have connected the Ticketmaster situation to the Snowflake statement, but CSO could not positively confirm the two incidents were related.

Snowflake said in its statement that it had recently observed and was investigating an increase in threat activity targeting some of its customers’ accounts. “We believe this is the result of ongoing industrywide identity-based attacks with the intent to obtain customer data. Research indicates that these types of attacks are performed with our customers’ user credentials that were exposed through unrelated cyber threat activity,” the company said.

“To date, we do not believe this activity is caused by any vulnerability, misconfiguration, or malicious activity within the Snowflake product. Throughout the course of our ongoing investigation, we have promptly informed the limited number of customers who we believe may have been impacted.”

Snowflake claims some 9,437 customers including Albertsons, JetBlue, Honeywell, Disney, MasterCard, Pfizer, and Petco.

Damage from such a breach could spread through cloud environments

Danielle Stepien, the CEO of Igniter Engineering, which does cybersecurity work with aerospace and related verticals, said she was concerned the breach may indicate a widespread threat.

“If it is a ransomware attack of any kind, this could be an infection of sorts, making a huge impact on business operations that could affect supply chains, other systems we don’t know about publicly yet, and more,” Stepien said. “The fact this was done in the cloud is bad, as it can affect any other system on the same cloud, if the hack was done thoughtfully in the cloud.”

Stepien added the nature of this kind of third-party exposure could cause the damage to quickly escalate. 

“Database hacks have huge implications, whether hacked on the cloud or on-prem. You have no idea how connected one database is to all other databases, as that is obviously proprietary knowledge,” Stepien said. “If they are connected, there are huge implications on business operations in anything that was affected.”

Live Nation’s filing used new SEC incident reporting guidelines

It appears that Live Nation may have taken seriously recent revised guidance from the SEC about which reporting form to use when it is not concluded that an incident is material — the SEC now suggests using form 8.01, which the company used. 

Part of the confusion over SEC reporting requirements is that companies are being asked to determine if an incident is material before reporting it. Once they do, they have four days to file a report. But many companies — including Live Nation — are telling the SEC that they have yet to make a determination of materiality. It’s not clear how that helps investors.

Typically, the enterprise views material based on likely impact to revenue and/or net income. For large enterprises — Live Nation’s latest annual revenue was $22.7 billion — that usually only happens when the company expects a large number of customers to leave because of the incident or the loss of a large portion of revenue given the departure of some of its largest customers. 

With Ticketmaster, that would only happen if consumers went elsewhere to purchase entertainment tickets. In the US, there are few alternative merchants, suggest that a cyberattack would only become material if it alienated a large number of venues and/or major performers. 

In this instance, the attack was not even on the enterprise, but a cloud partner of the enterprise, making a materiality determination even more unlikely.