Ticketmaster Data Breach Lawsuit Seeks Damages for More Than Half a Billion Users Whose Information Was Exposed

In recent months, both Ticketmaster and AT&T have faced growing litigation over separate data breaches, claiming the companies failed to adequately protect consumers’ private information.

Live Nation faces a rapidly growing number of Ticketmaster data breach lawsuits, since revealing that hackers infiltrated its systems and stole the private information of an estimated 560 million customers.

The litigation emerged after the company disclosed that the hacker group ShinyHunters had gained access to the Ticketmaster data, and was attempted to sell customers’ personal identifying information (PII) on the dark web. The warning came only a few months after the same group was linked to a massive AT&T data breach, which impacted approximately 73 million current and former customers of the telecom giant.

The Ticketmaster data breach allegedly compromised the names, home addresses, emails, phone numbers, ticket purchases, and partial credit card data of its customers, and the parent company Live Nation now faces a number of class action lawsuits brought by consumers who are seeking restitution for acts of identity theft, fraud, and the need for credit monitoring after the exposure of their information.

This month a complaint (PDF) was filed by James Curry and David Freifeld in the U.S. District Court for the Central District of California, seeking national class actions status to pursue damages from Live Nation Entertainment, Inc., and Ticketmaster LLC on behalf of more than half a billion customers.

Curry and Friefeld do not indicate that they have yet been the victim of identity fraud, but claim that they have experienced emotional distress and had to take extra efforts to secure their finances and accounts as a result of the Ticketmaster data breach, like millions of other customers will be required to do.

The lawsuit blames the breach on security failures by Ticketmaster, indicating the company failed to adequately secure its customers PII.

“Ticketmaster failed to protect and safeguard Plaintiffs’ and Class Members’ private information, in fact failing to adhere to even its most basic obligations,” the lawsuit states. “As a result, Plaintiffs and Class Members have suffered or will suffer actual injury, including loss of privacy, costs, and loss of time.”

Data Breach Problems and Litigation Growing

The complaint notes that data breaches are a growing problem in the U.S., as more and more transactions are online, resulting in companies storing massive troves of private customer information.

According to the lawsuit, 65% of data breach victims suffer identity theft as a result, with customers losing $56 billion due to data breaches in 2020 alone.

The same group that hacked Ticketmaster, ShinyHunters, is also the group claiming responsibility for the AT&T data breach, which likely happened in 2021. However, AT&T did not admit that it had occurred until this March, leaving millions of customers scrambling to protect themselves from identify fraud after their personal information had already been released on the Dark Web.

Since the revelation, a growing number of AT&T data breach lawsuits have also been filed in courts nationwide, both by individuals who actually experienced identity fraud, and class action complaints by concerned customers.

Given common questions of fact and law raised in those complaints, the U.S. Judicial Panel on Multidistrict Litigation (JPML) established an AT&T data breach multidistrict litigation (MDL) earlier this month, consolidating all complaints filed through the federal district court system in the U.S. District Court for the Northern District of Texas under Judge Ada E, Brown, who will shepherd the litigation through coordinated pretrial proceedings.

Now that an AT&T data breach MDL has been established for the lawsuits, it is expected that Judge Brown will establish a coordinated schedule for discovery to uncover how the customer information was released, steps that could have been taken to prevent the breach and how long AT&T knew about the problem.

If the parties fail to negotiate AT&T data breach lawsuit payouts for individual customers, it is likely that the Court will select a small group of representative cases to serve as early “bellwether” trials, which typically help the parties gauge how juries may respond to certain evidence and testimony that is likely to be repeated throughout the litigation. If AT&T fails to reach data breach settlements during the MDL proceedings, each individual claim may later be remanded back to the U.S. District Court where it was originally filed for trial.

It appears likely that the Ticketmaster data breach lawsuits are heading down a similar path, where it may be necessary for the U.S. JPML to establish a separate consolidated proceeding for those claims, as complaints are filed in various different U.S. District Courts nationwide.