560 million people had their information stolen in the Ticketmaster hack. Canadian law still isn’t built to respond to this.
One of the big security stories going around right now is the Ticketmaster hack. The hack was done by ShinyHunters who are apparently trying to sell the massive trove of personal information for about $500,000 USD. The trove of personal information is, without a doubt, huge. It weighs in at 560 million accounts. Ticketmaster, for their part, confirmed that, yes, the hack did, in fact happen. From the BBC:
Ticketmaster owner Live Nation confirmed “unauthorised activity” on its database after a group of hackers said they had stolen the personal details of 560 million customers.
ShinyHunters, the group claiming responsibility, says the stolen data includes names, addresses, phone numbers and partial credit card details from Ticketmaster users worldwide.
The hacking group is reportedly demanding a $500,000 (£400,000) ransom payment to prevent the data from being sold to other parties.
In a filing to the US Securities and Exchange Commission, Live Nation said that on 27 May “a criminal threat actor offered what it alleged to be Company user data for sale via the dark web”, and that it was investigating.
Given Ticketmaster’s global reach and market power (market power so great that the US’s Department of Justice is suing to have broken up due to anti-trust concerns), it’s safe to say that customers from numerous countries have been affected. This includes the very likely possibility that Canadians personal information is part of that trove.
At the moment, it isn’t clear what the nature of the hack was. Specifically, was this some highly sophisticated breach that exploited some unknown zero day to break in and steal that information or if the Ticketmaster security involved wasn’t that secure and negligence somewhere along the line played a role. I think that remains to be determined.
Regardless of which side of the spectrum that this hack sits on, from the Canadian perspective, it really doesn’t matter that much from a regulators perspective. As many readers here know for a long time, Canadian privacy law is something of a running joke. The way the system works is that if a breach or leak happens, the Canadian, provincial, a number of provincial privacy commissioners (maybe a combination somewhere in between) will investigate. They’ll ask for information regarding the incident and come up with a determination over whether or not privacy laws were violated.
If they determine that the laws were broken, they send a strongly worded letter. They may ask the company to clean up their act or ask them to perform a series of steps that would get them closer to being in compliance with the law. One thing I will emphasize here again is that, generally speaking, the privacy commissioners have long been doing excellent work. They have found out and informed the public about things related to privacy in ways even I sometimes don’t think of at times to this day. The problem is that current privacy laws render those laws toothless.
Once a strongly worded letter is sent out, that is it. If the company basically shreds those strongly worded letters, then there is nothing more the commissioners can do in their formal roles. This song and dance was showcased quite well with the Cambridge Analytica scandal. Multiple privacy commissioners found that Facebook violated Canadian privacy laws and asked them to clean up their act in a strongly worded letter. Facebook effectively told the commissioners to go fuck themselves in response.
The commissioners, in response, knew that there was nothing more they could do in their role’s as privacy commissioners as all the tools in the chest have been used to no effect. The commissioners, however, didn’t back down. They went to the extreme of stepping out of their roles as commissioners and into their roles as private citizens and sued Facebook. Brazil had already fined Facebook for $1.6 million. In the US, the FTC fined Facebook a record breaking $5 billion. All of that were over privacy violations. With that kind of international momentum, it really felt like there was also going to be justice in Canada as well over this scandal. Alas, that was not to be. To further pour salt in the wound for how broken Canada’s privacy laws are, the judge dismissed the case, essentially saying that Facebook did nothing wrong. Even the extreme response from the commissioners was unable to deliver any kind of justice for Canadians, highlighting how catastrophically broken Canadian privacy laws really are.
For this and countless other reasons, I have been a huge advocate for privacy reform. The need for real privacy reform couldn’t be more obvious. There needs to be consequences for intentionally mishandling people’s personal information beyond finger wagging and strongly worded letters. There’s an entire industry devoted to the buying and selling of people’s personal information (legally or not). Businesses in places where privacy laws are lax or non-existent will continue to neglect protecting people’s personal information largely because there is nothing really telling these companies that protecting people’s personal information is important. At most, a massive privacy breach to these companies is little more than a PR problem, ignoring the potential catastrophic problems their customers could face somewhere down the road due to theft, fraud, harassment, or many other problems.
All that is needed in Canada is for politicians to actually get off their lazy butts and do the right thing. Unfortunately, doing the right thing is about the last thing politicians want to do. Even after years of successive privacy scandals, the Canadian government continues to hit the snooze button and slow walk privacy reform legislation that a number of critics have said is little more than half measures to fix the privacy mess we are in today.
All of this is to say that regardless of what details come out of the Ticketmaster scandal, there will not be any real concrete things the government or the many regulators will do here. At most, we’re going to go through the song and dance of commissioners sending strongly worded letters. When those invariably fail to do anything, at best, we’ll see Canadian’s band together to form a class action lawsuit against the company (assuming Ticketmaster wound up violating privacy laws in the process). There might be something that could theoretically come out of it, but the broken privacy system we have today still shouts out on a megaphone that Canadian’s are on their own to defend themselves.
Until politician’s finally start treating this very obvious problem seriously, this cycle of “ain’t nothing gonna happen” is only going to continue to repeat in Canada. Canadians will have to hope that other countries put on their grown-up pants and issue fines if Ticketmaster did anything wrong. At the moment, Europe would be the best shot for any justice by extension because authorities in Canada are basically worthless in this scenario.
At any rate, another major privacy story and Canadian’s continue to be unprotected when it comes to the protection of personal information. This will likely continue for the foreseeable future. If your personal information is being used, you’re on your own.
We do need privacy reform, but we also need to look at how theses crimes are investigated and what laws need to be changed or implemented. Items to review include international cooperation on investigating hacks, how to track payments, and what tools do hackers use to hide their tracks.