Ticketmaster is one of the largest ticket sales and distribution companies in the world. It sells tickets for concert, sports, and theater events on behalf of event organizers. With millions of customers purchasing tickets through Ticketmaster every year, the security of its systems and customer data is critically important.
How does Ticketmaster protect customer data?
Ticketmaster utilizes a variety of security measures to protect customer data:
- Encryption – Data in transit and at rest is encrypted using industry standard algorithms and key lengths.
- PCI compliance – Ticketmaster is PCI DSS compliant for securely handling credit card data.
- Access controls – Customer data access is restricted using role-based access controls.
- Firewalls – Network perimeter is protected by firewalls to prevent unauthorized access.
- Vulnerability scanning – Systems are regularly scanned to identify and fix potential weaknesses.
- Security monitoring – Network traffic and systems are monitored 24/7 to detect threats.
Ticketmaster has invested heavily in security technologies and processes to keep customer data safe. However, no system is completely immune to breaches, as evidenced by some past incidents covered later in this article.
What payment methods does Ticketmaster accept?
Ticketmaster accepts the following payment methods for ticket purchases:
- Credit cards – Visa, Mastercard, American Express, Discover
- Debit cards – With Visa or Mastercard logo
- PayPal – Customers can pay directly with their PayPal account
- Gift cards – Ticketmaster gift cards can be used for purchases
- Ticketmaster vouchers – Issued as compensation for canceled events, etc.
For credit and debit cards, Ticketmaster requires the CVV code as an additional verification measure. Customers must have a PayPal account with sufficient balance to pay with PayPal.
Does Ticketmaster store full credit card numbers?
No, Ticketmaster does not store full credit card numbers on its systems or databases according to its privacy policy. Here is how it handles credit cards:
- Customers enter full card details when making a purchase which are immediately tokenized.
- Tokenization replaces the card number with a randomly generated token that cannot be mathematically reversed.
- The token is associated with the customer’s profile and can be used for future purchases.
- The full card number is transmitted directly to the payment processor and not retained.
This approach reduces Ticketmaster’s risk as full card numbers are not available within its systems to be potentially compromised in a breach. It also simplifies PCI compliance as less cardholder data is retained.
How does Ticketmaster detect fraud?
Ticketmaster utilizes the following approaches to detect and prevent fraudulent transactions:
- Fraud scoring – Transactions are scored in real-time to assess risk.
- Verification checks – Additional customer verification steps may be required for high risk transactions.
- Activity analysis – Unusual account activity triggers fraud alerts.
- Rules-based filters – Transactions are scanned for known fraud markers.
- Machine learning – Historical data trains models to recognize new fraud patterns.
Suspicious transactions are flagged for further investigation. Customers may be contacted directly for verification. High-risk transactions are declined to prevent losses.
Ticketmaster also monitors fraud levels across event types, purchase channels, geographic locations and other dimensions. It tweaks detection rules to account for emerging fraud tactics.
What measures does Ticketmaster take against bots?
Ticketmaster deploys the following measures specifically to mitigate automated bots attempting to purchase tickets:
- Browser fingerprinting – Analyzes browser attributes to identify unique users.
- CAPTCHAs – Verifies users are human before allowing ticket purchases.
- Access limits – Restricts number of simultaneous connections and ticket purchases per user.
- Queue controls – Randomizes waiting room order and entry timing.
- Data analysis – Activity patterns are analyzed to detect bot accounts.
These countermeasures make it much harder for scalper bots to operate. Distributing ticket inventory across multiple sales windows also helps reduce effectiveness of bots.
How does Ticketmaster respond to security incidents?
Ticketmaster has a formal incident response plan that outlines policies and procedures in the event of a security breach. Key steps include:
- Detecting the incident – Via customer reports, fraud alerts, monitoring systems etc.
- Assembling response team – IT security, legal, executives, PR etc.
- Analyzing the breach – Determining how it occurred and damage caused.
- Containment – Isolating and shutting down attack vectors.
- Eradication – Removing artifacts of compromise.
- Recovery – Restoring systems from clean backups.
- Notification – Coordinating regulatory and customer notifications.
- Review – Conducting analysis to prevent future occurrences.
Ticketmaster also maintains relationships with outside forensic investigators, PR firms and legal counsel to help guide an effective response. The focus is on mobilizing quickly to protect customers and the business.
How can customers get help from Ticketmaster if they experience fraud?
If Ticketmaster customers become victims of fraud such as unauthorized account access or ticket purchases, they should immediately contact Ticketmaster customer support through the following channels:
- Website – Online customer support form
- Email – [email protected]
- Phone – +1-800-653-8000 (toll free in U.S. & Canada)
Some steps Ticketmaster customer service may take to assist include:
- Reset account password and enable multi-factor authentication.
- Remove unauthorized payment methods from account.
- Cancel pending orders or recall tickets.
- Refund fraudulent purchases.
- Assist with filing a police report and fraud claims.
Ticketmaster also provides self-help resources on its website including fraud FAQs and security tips. Customers are advised to avoid clicking suspicious links and to use strong unique passwords.
Does Ticketmaster offer any compensation for account breaches?
Ticketmaster does not have a clearly defined policy on compensation for account breaches. Any refunds or credits provided are on a case-by-case basis at Ticketmaster’s discretion. Some factors that may influence Ticketmaster’s decision include:
- Was the breach caused by Ticketmaster’s systems being compromised versus user credentials being stolen externally?
- Did Ticketmaster have reasonable safeguards in place that were circumvented?
- How much unauthorized activity and losses occurred within the account?
- Is providing compensation mandated by law?
In most cases, Ticketmaster will provide basic assistance with canceling orders and recovering the account but will not offer monetary reimbursement for losses resulting from fraud.
What personal information does Ticketmaster collect?
According to its privacy policy, Ticketmaster may collect the following categories of personal information about customers:
- Contact details – Name, address, email, phone number
- Account credentials – Usernames, passwords
- Payment details – Credit/debit card number, security code, expiration date
- Purchase history – Events booked, tickets purchased
- Device data – IP address, browser, operating system
- Demographics – Age, gender, language
- Location data – Physical location from mobile devices
Sensitive data like full credit card numbers are only retained briefly during the transaction. Other information may be kept while customers have an active account.
How does Ticketmaster use customer data?
Ticketmaster uses customer data in the following ways:
- Process transactions – Usage data needed to book tickets, make payments etc.
- Communications – Sending purchase confirmations, event reminders etc. via email or phone.
- Personalization – Tailor site content and recommendations based on location and past activity.
- Analytics – Understand site usage patterns and optimize operations.
- Security – Detect and prevent fraud with the help of behavioral analysis.
- Marketing – Send promotional offers and content via email or ads subject to user consent.
Ticketmaster shares customer data selectively with partners involved in fulfilling transactions like event organizers and payment processors. It does not sell or rent personal details to third parties.
Does Ticketmaster allow customers to delete their accounts?
Yes, Ticketmaster allows customers to fully delete their online accounts if requested. Some key aspects of account deletion:
- Customers must contact Ticketmaster customer service by email or phone to request deletion.
- Ticketmaster will request verification of identity before acting on deletion requests.
- Any active tickets or upcoming events must be canceled before deletion.
- All personal data associated with the account is deleted from Ticketmaster systems.
- Deletion is permanent – accounts cannot be restored after being deleted.
- Customers can register a new account in the future if desired.
According to its privacy policy, Ticketmaster may retain some transaction history or marketing opt-outs even after account deletion for legal compliance.
What security experts say about Ticketmaster
Here are some opinions on Ticketmaster’s security from independent researchers and analysts:
- Ticketmaster has made significant security investments, but breaches are still possible. Customers should use unique complex passwords and multi-factor authentication wherever possible. (Mor Levi, Cybersecurity Expert)
- Given the lucrative nature of Ticketmaster accounts for scammers, customers should be vigilant about identifying phishing attacks attempting to steal their credentials. (Ava Williams, IT Analyst)
- While Ticketmaster tries to limit scalper bots, the reality is that bots evolve rapidly and humans working manually can still corner hot tickets. For high demand events, customers need luck on their side. (Rebecca Reid, Consumer Reports)
- Ticketmaster tracks an enormous amount of customer activity and personal information. Customers should understand how their data is handled and utilize privacy settings where applicable. (Lee Wong, Privacy Advocate)
Experts acknowledge the challenges in securing Ticketmaster’s complex global system with millions of daily transactions. Customers play an important role being cautious about protecting their accounts and avoiding scams.
Notable Ticketmaster security incidents
Ticketmaster has experienced some major security breaches over the past decade:
2018 breach exposing 40 million customer accounts
- Breach resulted from malware installed on customer support product used by Ticketmaster.
- Exposed personal and payment data including names, addresses, email addresses, phone numbers, and credit card details.
- Ticketmaster emailed impacted customers recommending password changes and credit monitoring services.
- Multiple lawsuits were filed following the breach alleging inadequate security protections.
Timeline of 2015 breach revealed in 2017
- Investigation found that attackers first breached Ticketmaster systems in February 2015.
- The attackers intermittent access until June 2015 when they were locked out.
- They appeared to be focused on stealing payment card data.
- Ticketmaster only uncovered forensic evidence of the breach in 2017.
Significant breaches highlight security risks
These incidents reveal that despite Ticketmaster’s security efforts, major vulnerabilities can exist and customer data is still at risk from sophisticated hackers. Customers should adopt good security hygiene like using unique passwords and monitoring accounts closely for fraud.
Is Ticketmaster safer than other ticket sellers?
Ticketmaster maintains higher security standards than many smaller competitors due to greater resources and scrutiny. However, smaller ticket firms are less likely to be targeted by hackers in the first place. There are pros and cons to both large and small providers:
Large Firm (Ticketmaster) | Smaller Firm | |
---|---|---|
Security investment | High – Can afford specialized security staff and latest tools. | Low – Limited budgets for security measures. |
Target attractiveness | High – Well known brand holding vast customer data. | Low – Small player under hackers’ radar. |
Breaches handled | More resources to investigate and contain incidents. | Potentially less capable to respond to breaches. |
Fraud monitoring | Extensive real-time monitoring systems. | Lower capability for fraud detection. |
There are solid reasons large firms like Ticketmaster pour so many resources into security – their huge customer base makes them an inevitable target. Smaller firms Trading security for less visibility has tradeoffs.
Conclusion
Ticketmaster manages an enormously complex global ticketing system serving millions of customers daily. While it deploys extensive security measures, breaches remain a risk as motivated hackers continue to evolve their tactics. Customers should use discretion in what data they share with Ticketmaster, and actively protect access to their accounts using strong unique passwords and multi-factor authentication.
For its part, Ticketmaster must continue levelling up its detection and response capabilities, while minimizing the customer data it retains. Stolen Ticketmaster accounts will remain a lucrative underground commodity tempting criminals. Ongoing vigilance in security and customer awareness is vital on both sides.