Ticketmaster has claimed they were hit by a cyber-attack in November 2022 that led to extensive issues with ticket sales for Taylor Swift's US tour.
Joe Berchtold, president of Live Nation, Ticketmaster's parent company, made the revelations at a US congressional committee Tuesday.
"We were [...] hit with three times the amount of bot traffic than we had ever experienced, and for the first time in 400 Verified Fan on sales, they came after our Verified Fan access code servers," Berchtold claimed.
"While the bots failed to penetrate our systems or acquire any tickets, the attack required us to slow down and even pause our sales. This is what led to a terrible consumer experience that we deeply regret."
At the hearing, senator Amy Klobuchar, who chairs the US Senate committee on consumer rights, said that the "high fees, site disruptions and cancellations that customers experienced shows how Ticketmaster's dominant market position means the company does not face any pressure to continually innovate and improve."
Berchtold acknowledged the company should have done better, saying Ticketmaster could have extended the sales "over a longer period of time" to prevent the system overload and that it should have done "a better job setting fan expectations for getting tickets."
Alexander Heid, chief research and development officer at SecurityScorecard, agrees that Ticketmaster appears to have suffered from a bot-driven attack.
"The availability issues reported by Ticketmaster to have occurred during the sale of Taylor Swift tickets [were] a result of bots attempting to acquire tickets for resale; the high volume of requests resulted in a DDoS-like condition whereby floods of artificial traffic caused slowdowns and outages during a flash sales event," Heid told Infosecurity in an email.
According to the security expert, while it is challenging to mitigate floods of unexpected traffic, preparations can be put into place to scale with the traffic if it is expected.
"[With] techniques such as implementing bot filtering based on IP address reputation, user-agents can mitigate some of the 'junk traffic' – but sophisticated operations will make use of bots that use residential IPs and valid user-agents – having load balancing and CDN configurations implemented will go a long way to ensure that customers are continuously able to conduct transactions."
The congressional committee hearing comes months after Ticketmaster rival See Tickets notified customers of a significant breach of their personal and financial information.