Data Breach Class Action Lawsuit Filed Against Cloud-Based Storage Company Blamed For Ticketmaster Leak

A California woman has filed a data breach class action lawsuit against Snowflake, Inc., a cloud-based server company that was recently hacked, resulting in more than half a billion Ticketmaster customers’ data being stolen.

In June, Ticketmaster’s parent company, Live Nation, confirmed that hackers were able to obtain the data of more than 560 million customers, and were selling the personal identifying information (PII) on the dark web.

The Ticketmaster data breach compromised the names, home addresses, emails, phone numbers, ticket purchases, and partial credit data of customers. However, information released since the original announcement has indicated it was not Ticketmaster or Live Nation’s servers that were hacked, but instead the data was taken from Snowflake, which stores online data for numerous other companies.

According to the lawsuit and various news reports, Ticketmaster is just one of several companies hacked after trusting Snowflake with sensitive customer information.

Snowflake Data Breach Lawsuit Allegations

While most of the lawsuits filed since the Ticketmaster data breach have targeted Live Nation themselves, a complaint (PDF) filed last week by Madalena Bowers in the U.S. District for the District of Montana names Snowflake, Inc. as the only defendant.

Her lawsuit seeks class action status to pursue damages on behalf of all victims of data breaches caused by Snowflake’s cloud storage systems, which allegedly lack of adequate security. In addition to the Ticketmaster data breach, hacker attacks on Snowflake have also been linked to a data breach of Advanced Auto Parts and is believed to be how hackers also got access to data from Australian ticket provider Ticketek at the end of June.

Bowers’ lawsuit indicates that a lack of proper security at Snowflake has led to increased risks of financial loss and identity fraud for hundreds of millions of consumers worldwide.

“The notorious hacker group known only by its alias ‘ShinyHunters’ claimed that it had stolen 1.3 terabytes of personal data and is reportedly ready to sell, or has already sold, such information to nefarious dark web users for $500,000,” Bowers’ lawsuit states. “This Data Breach occurred because Snowflake enabled an unauthorized third party to gain access to and obtain former and current Ticketmaster and Live Nation’s customers’ Private Information from Ticketmaster’s systems housed by Snowflake.”

AT&T Data Breach Lawsuits

Snowflake also stores data for MasterCard, Novartis, PepsiCo, Allstate Insurance, Capitol One, Jet Blue, Progressive, State Farm, NBC Universal and AT&T. It is unclear whether Snowflake was involved in the recently announced AT&T data breach, which was also linked to ShinyHunters and exposed more than 70 million customers’ personal data.

The breach likely happened in 2021, but AT&T did not admit that it had occurred until this March, leaving millions of customers scrambling to protect themselves from identify fraud after their personal information had already been released on the Dark Web.

Since the revelation, a growing number of AT&T data breach lawsuits have also been filed in courts nationwide, both by individuals who actually experienced identity fraud, and class action complaints by concerned customers.

There will probably be more such lawsuits filed after AT&T announced yet another data breach to the Securities and Exchange Commission earlier this month, revealing that an estimated 110 million customers phone and text information was hacked, which apparently occurred several years ago.

The company notes that it does not believe the data is currently publicly available, and that AT&T is working with law enforcement. At least one arrest has already been made, the company indicates.

Given common questions of fact and law raised in those complaints, the U.S. Judicial Panel on Multidistrict Litigation (JPML) established an AT&T data breach multidistrict litigation (MDL) earlier this month, consolidating all complaints filed through the federal district court system in the U.S. District Court for the Northern District of Texas under Judge Ada E, Brown, who will shepherd the litigation through coordinated pretrial proceedings.

Now that an AT&T data breach MDL has been established for the lawsuits, it is expected that Judge Brown will establish a coordinated schedule for discovery to uncover how the customer information was released, steps that could have been taken to prevent the breach and how long AT&T knew about the problem.

If the parties fail to negotiate AT&T data breach lawsuit payouts for individual customers, it is likely that the Court will select a small group of representative cases to serve as early “bellwether” trials, which typically help the parties gauge how juries may respond to certain evidence and testimony that is likely to be repeated throughout the litigation. If AT&T fails to reach data breach settlements during the MDL proceedings, each individual claim may later be remanded back to the U.S. District Court where it was originally filed for trial.