Cyber Incident Victim: CrowdSurge
Date:
Nov 2013
Location:
United States of America
Summary
Ticketmaster, a Live Nation subsidiary, was fined $10 million for illegally accessing a competitor's systems using stolen credentials from a former CrowdSurge employee who joined its parent company. Employees systematically infiltrated confidential ticketing web pages and financial documents to identify and poach clients, aiming to undermine the rival's business operations. The scheme involved maintaining spreadsheets of compromised data and holding internal meetings to exploit unauthorized access. Ticketmaster admitted responsibility for charges including conspiracy, computer intrusion, and wire fraud, resulting in employee terminations and court-ordered compliance programs to prevent future violations of computer fraud laws.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
Ticketmaster, a Live Nation subsidiary, engaged in systematic corporate espionage against competitor CrowdSurge between 2013 and 2015. After hiring former CrowdSurge employee Stephen Mead in 2013, Live Nation executives immediately solicited confidential information despite Mead having signed non-disclosure agreements. Mead provided private URLs to CrowdSurge's draft ticketing web pages in November 2013, enabling Ticketmaster to monitor the competitor's client engagements. Internal communications revealed executives explicitly aimed to "choke off" CrowdSurge by stealing key clients, with one executive stating they could "cut [them] off at the knees" after poaching a major artist's presale business. The scheme escalated at Ticketmaster's May 2014 Artist Services Summit in San Francisco, where Mead shared additional confidential financial documents from his CrowdSurge tenure with division head Zeeshan Zaidi and other executives. Ticketmaster systematically catalogued CrowdSurge's client web pages in a dedicated spreadsheet to identify and target their customers. Despite this misconduct, Mead received a promotion to Director of Client Relations and a raise in January 2015.
The United States District Court for the Eastern District of New York charged Ticketmaster in 2020 with five criminal counts: conspiracy to violate the Computer Fraud and Abuse Act (CFAA), computer intrusion for commercial advantage, computer intrusion facilitating fraud, wire fraud conspiracy, and substantive wire fraud. Prosecutors highlighted how employees used stolen credentials to repeatedly access CrowdSurge systems, treating unauthorized access as standard business practice during divisional meetings. Ticketmaster admitted legal responsibility for its employees' actions under federal law, resulting in a $10 million criminal fine and a court order mandating enhanced CFAA compliance programs. The company terminated Mead and Zaidi in 2017 upon internal discovery of their activities, with a spokesperson acknowledging the violations contradicted corporate policies. No technical containment measures or system impacts on CrowdSurge were detailed in the settlement documents beyond the confirmed theft of business intelligence and client targeting. The case concluded with Ticketmaster's public statement expressing resolution satisfaction while avoiding direct commentary on competitive consequences for CrowdSurge.