Protecting Swifties: Brent Arnold speaks to CBC about Ticketmaster's data breach

INTERVIEWER: Some concert fans are getting an unwanted surprise. Tickets are being stolen out of their Ticketmaster accounts. That's prompted the company to pause ticket transfers for Taylor Swift's upcoming Toronto shows. Brent Arnold is a lawyer with Gowling WLG. He specializes in cyber security and is with us now. Hi, Brent.

BRENT ARNOLD: How are you doing?

 

INTERVIEWER: I'm doing OK. So if you walk me through this, somebody has gone somehow and got Taylor Swift tickets. It's in their Ticketmaster account, and what's happening?

 

BRENT ARNOLD: Well, what's happening is they are taking those tickets, transferring them to presumably whoever is behind this, and one assumes they're selling those tickets. And it's not just Taylor Swift. It's a lot of Taylor Swift tickets, but it's tickets to concerts like Korn and Pink and other performers. Obviously, the Taylor Swift ones are the one that's catching everyone's attention because they're the most expensive. And in a lot of cases, people spend a few hundred dollars to get those tickets, and they're now retailing for thousands.

INTERVIEWER: [INAUDIBLE] something to do because obviously, the fraudsters here are hacking into people's Ticketmaster accounts. Are they doing that because we don't have strong enough passwords, or does it have something to do with the data breach that Ticketmaster experienced a while back?

 

BRENT ARNOLD: Well, on the first part of that, it depends who you ask. Ticketmaster is saying they're not hacking our website. They're getting into your email accounts. That seems like the harder way to do it to me and less likely. But one way or the other, what seems to have happened here-- we know it's not from the breach. Because in the breach that happened a few months ago, passwords weren't leaked.

 

So somebody has email addresses for people that have Ticketmaster accounts, and they are managing to get into those accounts. It's more likely something along the lines of a password spray attack or a credential stuffing attack, and we need to get into the details. But the bottom line is they got the passwords somewhere else. Either your passwords have been leaked in some other data breach, and you've reused that password for your Ticketmaster account. Or they're using a bunch of generic passwords that people foolishly use as their password-- password 1, 2, 3. That sort of thing. So it's like somebody in an old movie taking a ring of skeleton keys and just trying all of them until they find one that works.

 

INTERVIEWER: Oh, yeah. OK. And now this is-- what's being taken advantage of is the ticket transfer function. Is there a flaw that's being exposed here?

 

BRENT ARNOLD: Well, it's hard to say. I mean, what's being exposed here is that there aren't multiple levels of authentication required to get into your account.

 

INTERVIEWER: Right.

 

BRENT ARNOLD: And some people are being critical and saying, well, why isn't there multi-factor authentication? And for listeners that don't know, that means essentially you try to get into your account, it sends a text to your phone, and by putting in the number you get on your phone, it's proof that it's because you also have the phone that's associated with the account. That's not on this. Now, that's a technology that's becoming increasingly common, but it also makes it more difficult for people to get into their accounts. So this is a situation where Ticketmaster is balancing off the security of accounts versus ease of use.

 

INTERVIEWER: Mm-hmm.

 

BRENT ARNOLD: It sounds like they may be moving towards implementing that, but it can take months to do that at scale across an organiza-- like a website that's got thousands and in this case, millions of accounts. So it takes a long time to implement that. In the meantime, the problem is people are reusing passwords. Which means if you were involved in a data breach-- and you may not even know that this happened --your email and the password are out there. They get a list of these off the dark web, and then they just try them. And because you've reused the same password or you've used an easily guessed password, people are getting in. So yeah, there are ways to make that security stiffer, but the downside is that people who aren't great with computers find it more difficult to get into their accounts.

 

INTERVIEWER: Ticketmaster's argument, as you say, is it's not our system. It's your email. Is there any risk of legal culpability on their end?

 

BRENT ARNOLD: It's going to depend on the terms of the contract. Usually, what you'll find in any online account in those long agreements that none of us ever read is that your limitation-- your liability is limited.

 

INTERVIEWER: Mm-hmm.

 

BRENT ARNOLD: Often, it's limited to the amount that you spent on whatever it is that you've bought through the website. So it's not going to be easy for people to challenge Ticketmaster. And it sounds like they are going to have a good forensic case to say, they didn't hack our system. They walked through the front door with your account because you had an easily guessed password. And there's ways of telling that forensically, so I would say it's going to be an uphill battle for people that want to take Ticketmaster on over this.

 

INTERVIEWER: There are so many scams and frauds that are going on out there. What does it say that concert tickets, which in some cases are very valuable on the resale market-- what does it say that they've become the next great thing that scammers are targeting?

 

BRENT ARNOLD: Well, anything that you can buy electronically and sell easily is going to become a target. And yeah, you're absolutely right. What's different about now as opposed to a few years ago, first of all, the kind of attack that we're seeing in this instance, what we think it is, is becoming more common. So we're going to see more of that just in general.

 

I'm actually dealing with a case that's very much like this, where it was a very similar attack. The website wasn't compromised but somebody else was. And the other part of it is that as the tickets get more valuable, and the Taylor Swift tour is a really good example of this-- many times more than what people used to spend on tickets. So it's worth somebody's time to get into account and flip a ticket for a few thousand bucks. That's well worth an hour or two of my time.

 

INTERVIEWER: Yeah, absolutely. And the risk of being found out is seemingly quite low.

 

BRENT ARNOLD: It can be. And the problem that we'll often see is even if we manage to locate the person who's behind it, there's a better than even chance they're not in Canada. They're in some other country where there's no extradition treaty. And like a lot of cybercrime, they might probably be in Russia.

 

INTERVIEWER: Mm-hmm.

 

BRENT ARNOLD: Or they might be one of a number of other states where we can't get them. The government of that state isn't going to cooperate with us to help us go prosecute them. And some of those cases, Russia being one of them, they're perfectly happy with hackers causing chaos in the western world.

 

INTERVIEWER: Absolutely. We see it all over the place. All right, Brent, thank you so much.

 

BRENT ARNOLD: Thank you.

 

INTERVIEWER: That is Brent Arnold, who's a lawyer and data breach counsel with Gowling WLG.