The Ticketmaster Data Breach — and How It Could Have Been Avoided

We recently highlighted the evolution of cybersecurity threats and the devastating impact an attack can have. It’s clear that even the most high-profile organizations can fall victim, as the May 2024 data breach at Ticketmaster demonstrated.

In this article, we explore what happened at Ticketmaster, the impact of the breach, and how you can protect your customers’ data to avoid falling prey to a similar attack.

In May 2024, Ticketmaster discovered unauthorized activity on an isolated cloud database hosted by the third-party data services provider Snowflake. Snowflake operates a cloud computing platform designed to provide a unified service for data warehousing, lakes, engineering, and science without the need for infrastructure management.

The breach was attributed to the hacking group ShinyHunters, who exploited weaknesses in Ticketmaster’s third-party service integrations. They used stolen login details, likely from an info-stealer malware targeting a former Snowflake employee’s demo account that lacked multi-factor authentication (MFA). This enabled them to access Ticketmaster’s data held within Snowflake.

Snowflake pointed out that the breach was caused by compromised customer credentials rather than platform vulnerabilities and emphasized the need for stronger customer-side security, such as MFA. The unauthorized activity occurred between April 2 and May 18, 2024, but the breach may have begun even earlier in Q1 2024.

On May 27, 2024, ShinyHunters listed the private information of 560 million Ticketmaster customers for sale on the dark web, demanding $500,000 for approximately 1.3 terabytes of customer information.

The breach potentially affected up to 560 million Ticketmaster customers worldwide, primarily those who bought tickets to events in North America (U.S., Canada, and Mexico).

The compromised data included:

• Names
• Email addresses
• Phone numbers
• Physical addresses
• Encrypted credit card numbers and expiration dates
• Ticket purchase histories
• Order information

Although some payment information was encrypted, a significant amount of personal data was exposed in unencrypted form.

In response, Ticketmaster offered affected customers free 12-month identity monitoring services and recommended that users monitor their bank accounts for suspicious activity, update passwords, and be cautious of phishing emails. The company stated that Ticketmaster accounts themselves remained secure and that no additional unauthorized activity was detected after the investigation began.

However, on May 29, 2024, one of the affected victims filed a lawsuit against Ticketmaster and Live Nation, alleging that the data breach was caused by the defendants’ failure to implement adequate cybersecurity measures.

They claimed that Live Nation and Ticketmaster had a duty to safeguard this private information under case law, industry standards, and statutes, including the Federal Trade Commission Act. FTC cybersecurity guidelines for companies to protect personal information include encrypting information stored on computer networks, understanding their network’s vulnerabilities, and using an “intrusion detection system to expose a breach as soon as it occurs.”

In the following weeks, at least 14 such data breach lawsuits were filed, the vast majority being in the District of Montana, where Snowflake is headquartered. As a result, a motion was filed with the U.S. Judicial Panel on Multidistrict Litigation on July 29, calling for all lawsuits stemming from the Snowflake data breach, including the 560 million Ticketmaster customers, to be consolidated in the U.S. District Court for the District of Montana for coordinated pretrial proceedings before a single judge. Some 48 related actions are pending in 11 other district courts nationwide.

Enforcing multi-factor authentication (MFA) for all employee accounts accessing sensitive systems and data would have made it much more difficult for the attackers to gain initial access to customer data. MFA adds an extra security buffer to the authentication process by requiring users to provide more than just a password by combining two or more independent factors to verify a user’s identity.

But there’s more to effective cybersecurity than MFA. If adequate infrastructure-as-code (IaC) security measures had been in place, secure configurations, access controls, and continuous monitoring would have been enforced from the outset, preventing such a breach. Here’s how IaC security best practices provide the ultimate protection for the data your organization is accountable for:

Robust credential management and encryption

The credentials stolen in the Ticketmaster breach lacked proper protection. Adequate protection comprises several layers of security. This is available with a platform like Spacelift, which provides additional encryption at rest for customer secrets. Additionally:

• All data is encrypted both at rest and in transit.
• Credentials are stored using AWS KMS keys with restricted and audited access.
• When credentials are generated, AWS Key Management Service encrypts them so they are never stored in plaintext.

Dynamic credentials and automatic rotation

A platform like Spacelift avoids the static credential problem entirely through:

• Native cloud integrations with AWS, Azure, and Google Cloud using dynamic, short-lived credentials
• Automatic credential rotation: Credentials are generated hourly with a 24-hour expiry, and new secrets are generated roughly 2 hours before expiry.
• One-off credentials per run: Spacelift generates unique credentials for each infrastructure run, making stolen credentials useless after a brief period.

Granular access control (RBAC)

With a role-based access control (RBAC) system like Spacelift’s, organizations can enforce least-privilege principles:

• Custom roles with specific, composable actions
• Space-based permission assignment for precise control
• Login policies using Open Policy Agent for programmatic access control
• API keys with minimal required permissions for automation

Security auditing and compliance

Spacelift is SOC 2 Type II certified, with an independent external auditor confirming the effectiveness of internal controls for security, confidentiality, integrity, availability, and privacy of customer data. The platform also:

• Conducts external penetration testing at least annually
• Maintains an immutable audit trail of all infrastructure changes
• Has a bug bounty program to identify vulnerabilities proactively
• Recently achieved FedRAMP authorization for federal agencies

Private worker pools and VCS agents

For organizations with stringent security requirements, Spacelift offers:

• Private worker pools where customers host the compute resources that access their codebase on their own infrastructure
• VCS agent pools for secure access to on-premise version control systems
• End-to-end encryption using asymmetric encryption for temporary run state

The critical failure in Ticketmaster’s breach was compromised credentials without MFA accessing a third-party cloud database. Spacelift addresses this through:

1. Mandatory MFA enforcement at the organization level
2. No static, long-lived credentials (Everything rotates automatically.)
3. Multiple layers of encryption and access control
4. Least privilege by default through granular RBAC instead of broad access
5. Regular audits, penetration testing, and security reviews

These protections work together to ensure that even if one layer is compromised, multiple other safeguards prevent unauthorized access to customer infrastructure.

As the Ticketmaster breach illustrates, even the most high-profile networks are being accessed illegally through third-party vendors. This means companies should monitor the security posture of all their contracted vendors and service providers to confirm they comply with strict security standards and best practices. They should then implement rigid access controls, regular audits, and appropriate configuration of cloud storage and services to prevent unauthorized access.

Using an IaC orchestration platform such as Spacelift ensures the safety of your customers’ data, with features like MFA, multilayered encryption, granular RBAC, and private worker pools embedded within the product.