What’s the true cost of using Eventbrite and Ticketfly? Anxiety and a lot of anguish, claims a new lawsuit.
On May 30th, a top-level hacker followed through on his threat against indie ticketing service Ticketfly.
After sending an e-mail to the ticketing service about weaknesses in its WordPress blog, Ishakdz breached Ticketfly.com. The hacker had gained access to “information about Ticketfly’s members.” Ishakdz then asked the ticketing service for a single bitcoin – worth about $7,500 – in exchange for the data.
Ticketfly didn’t pay up. So, six days later, the notorious hacker posted the sensitive information of 26 million customers. This included names, addresses, emails, phone numbers, passwords, and even credit card details.
Now, parent company Eventbrite is paying the price for the humiliating breach.
So, who’s truly to blame?
Shanice Kloss has filed a class-action lawsuit against Eventbrite in the Circuit Court of Cook County, Illinois.
According to Kloss, Eventbrite “was storing sensitive information…it knew was of value to, and vulnerable to, cyber attackers.” The company failed to take basic security precautions that could’ve prevented the hack, instead implementing “lax cybersecurity procedures.”
Highlighting Ishakdz’s ransomware attack on Ticketfly’s servers, Kloss states the company “failed to prevent, detect” and act on the breach. The hacker – Ishakdz – had reportedly notified Eventbrite “that its IT systems contained a vulnerability.” Nevertheless, the company didn’t take reasonable measures to either “mitigate the vulnerability” or get in touch with the hacker.
Worst of all, continues Kloss, Eventbrite failed to notify users about the attack.
“[Eventbrite] has failed to implement any breach notification process whatsoever following the Data Breach.”
Kloss didn’t find out about the attack until September 13th after coming across Eventbrite’s tweet from June 6th.
Even then, Eventbrite failed to provide follow-up tools for affected consumers. Kloss had to use a forensic online tool to determine whether her information was exposed in the data breach.
Unfortunately, it was.
The company also failed to “implement a reasonable cybersecurity protocol that included adequate technical, administrative, and physical controls.” This includes an “adequate intrusion detection and prevention system” that would’ve alerted Eventbrite of a data breach on Ticketfly.com. At least, continues Kloss, “adequate firewalls would’ve prevented access to hashed password values.”
Pinning the blame on Eventbrite for the fallout of the hack, Kloss writes the company “let its customers languish in ignorance.” Consumers weren’t notified about the real risk of “irreversible privacy harms.”
Plus, had Kloss known both companies would fail to implement “reasonable safeguards,” she never would’ve used Ticketfly.com.
So, why did Eventbrite fail to implement the safeguards? Money.
The company, she continues, had saved on “the costs of compliance.”
Yet, this negligent response has led her – and millions of other consumers – to face the impending threat of future harm. Like herself, they now have to monitor their credit and other financial information to guard against fraud. This includes opening credit cards and other financial accounts in their names.
In addition, Eventbrite has caused mental anguish. Kloss’ legal team explains,
“For example, she experiences anxiety and anguish when thinking about what would happen if her identity is stolen as a result of the Data Breach.”
Kloss and her legal team have brought four counts against Eventbrite and Ticketfly.
First, the Delaware-based company has violated the Illinois Consumer Fraud and Deceptive Business Practices Act.
Illinois law states all companies doing business in the state must implement and maintain reasonable security measures to protect consumers. In addition, should a breach occur, companies must notify consumers in the most expedient time possible and without unreasonable delay.
Eventbrite failed to both implement safeguards and notify consumers about the attack. Thus, the company has violated the Illinois Personal Information Protection Act. As a result, continues Kloss, consumers have suffered injury and actual damages.
Second, Eventbrite breached its contract with consumers.
The company’s failure to safeguard consumers’ information – including implementing prevention, detection, and notification features – constitutes a breach of contract.
Third, Eventbrite breached its implied contract with consumers.
The company didn’t have an express contract with Kloss and other members of the class-action lawsuit. But, Eventbrite had entered into an implied contract with consumers through Ticketfly. As such, the company was obligated to secure and safeguard consumers’ information. By failing to do so, Eventbrite violated its implied contract with consumers.
Fourth, the company flat-out acted in negligence.
Eventbrite didn’t only fail to adequately secure and safeguard consumer data. According to Kloss, the company also failed to notify consumers and comply with applicable state and federal law. As the company hasn’t acted reasonably in preventing, detecting, and disclosing the data breach, Eventbrite has acted in negligence.
Kloss and her legal team have demanded a trial by jury. They’ve also requested appropriate relief, including statutory, compensatory, and punitive damages. Plus, Kloss and her legal team have asked a court to order Eventbrite to furnish identity fraud monitoring and mitigation services for a reasonable period of time.
The company has yet to issue a statement.
You can read the class-action lawsuit below.