Brock University experts are calling for stronger consumer protections after millions of Ticketmaster customers were alerted that their personal data may have been compromised in a security breach.

In an email sent to customers this week, the ticket seller says it detected unauthorized activity on an isolated cloud database hosted by a third-party data services provider. Anyone who purchased tickets using the platform between April 2 and May 18 of this year may have been impacted.

The company determined that personal information including customers’ names, basic contact information and payment card information, such as encrypted credit or debit card numbers and expiry dates may have been affected.

Not only is this not the first time a security breach has occurred on the platform, but Associate Professor of Information Systems Francine Vachon says the lag time between the company getting wind of this breach and alerting customers was extremely problematic.

“The long delay means that criminals had time to use this data and because consumers didn’t know their data was compromised, they were prevented from taking active measures to protect themselves,” she says.

She adds that at least one hacker group even bragged about selling the personal information of Ticketmaster’s customers on the dark web, to the tune of $500,000.

Aaron Mauro, Associate Professor and Chair of the Department of Digital Humanities at Brock, says the incident further highlights the need for stricter regulation for companies entrusted with sensitive personal and financial information.

“We should be actively asking our politicians to create laws that demand accountability, transparency and consequences for monopolistic corporations that mishandle our private, financial information,” he says.

Mauro also emphasizes the need to take into account the complexity of ecommerce platforms such as Ticketmaster, which have many software and service providers embedded within their systems.

While Ticketmaster’s own systems may be secure, he says, their service providers may be compromised.

“Assigning fault may be plausibly deflected by companies like Ticketmaster,” says Mauro, “but the harms to consumers remain the same without accurate and early reporting of security incidents.”

Vachon says harsher penalties may prevent incidents like this from happening so often.

“From the Canadian legal perspective, until recently, our laws ‘had no teeth,’” she says. “Ticketmaster, perhaps, felt no urgent need to inform Canadians of the breach.”

Vachon says the maximum fine for non-compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada — including not sending a data breach notification — is $100,000. Quebec has the stiffest penalties in the country, she adds, fining up to $10 million for an infraction.

Ticketmaster has also been embroiled in other contentious incidents that have frustrated both consumers and artists alike, such as flubbing major ticketing releases and criticisms surrounding absorbent ticket prices and sky-high service fees.

Ticketmaster and its parent company Live Nation Entertainment were recently sued by the U.S. Department of Justice following allegations that their monopoly over live events has vastly driven up ticket prices, and there are numerous class-action lawsuits in provinces across Canada that accuse it of allegedly profiting from third-party ticket reselling.

The stakes are even higher considering Ticketmaster is essentially the only game in town when it comes to ticket sales.

“Ticketmaster has a near monopoly on ticket sales and artificially inflates prices by allowing scalpers to resell tickets, which further inflates ticket prices sold legitimately,” Mauro says.

Mauro and Vachon suggest that anyone concerned that their data may have been compromised should consider doing the following:

• Contact your bank if you believe your credit card has been stored on Ticketmaster systems.
• Anyone with a Ticketmaster account should change their password or delete their account.
• Do not use the same password for different online accounts.
• Use a password manager for stronger passwords and greater ease of use.
• Use Multi-Factor Authentication apps, which protect your accounts if your password is compromised.
• Consider using a service such as Have I Been Pwned? to determine if your email is being publicly traded by criminals online. If you discover your information is associated with a compromise, take the previous two steps to secure those accounts.
• Those who rarely apply for credit can opt to have a credit watch placed on their credit bureau file.