Ticketmaster was hit with record bot traffic that crippled its systems when hordes of Taylor Swift fans attempted to buy tickets in November ahead of the singer’s upcoming U.S. tour, the company’s president told the Senate Judiciary Committee Tuesday.
The company suffered “three times the amount of bot traffic than we had ever experienced,” as well as the targeting of the company’s “Verified Fan access code servers,” said Joe Berchtold, chief financial officer and president of Ticketmaster’s parent company, Live Nation Entertainment.
The Verified Fan service was designed to limit ticket re-sellers’ access to tickets, Berchtold said to the panel. But the company and, to some extent, the online retail industry at large, is in an “ever-escalating arms race” with ticket re-sellers, he added. Written testimony for the hearing provided to CyberScoop by Live Nation said there is “an arms race escalating between primary ticketers and cyber criminals using bots to illegally obtain tickets.”
The company’s explanation comes amid bipartisan questioning of the company over its handling of the Taylor Swift ticket sales and also its power and dominance in the live event market. Tuesday’s hearing was largely about whether there is true competition in the space, and whether the federal government needs to take anti-trust action against the company.
There was “unprecedented demand for Taylor Swift tickets,” the written statement provided to CyberScoop said. “We knew bots would attack that onsale, and planned accordingly. We were then hit with three times the amount of bot traffic than we had ever experienced, and for the first time in 400 Verified Fan onsales they came after our Verified Fan access code servers. While the bots failed to penetrate our systems or acquire any tickets, the attack required us to slow down and even pause our sales.”
Bots typically pretend to be human buyers, or go through the ticket buying process faster than humans, the testimony said. “The difference here is they were trying to attack the system itself.”
It’s not clear what “attack” means in this context. For instance, was the site hit with a flood of traffic akin to a distributed denial of service attack — where a web service is rendered inaccessible due to overwhelming requests — or was it something else?
The company did not respond to CyberScoop questions seeking additional clarification and detail, or whether it was being investigated or reviewed by any government agencies or private companies. Politico reported Monday that the culprit for the attack has yet to be identified and that the company reported the attack to the Federal Trade Commission and the FBI, “which are looking into the incident.”
The FTC would neither confirm nor deny any investigation. The FBI did not a request for comment Tuesday.
A previous statement issued by Ticketmaster said the company had typically been “able to manage huge volume coming into the site to shop for tickets,” but in this case, “the staggering number of bot attacks as well as fans who didn’t have access codes drove unprecedented traffic on our site, resulting in 3.5 billion total system requests — 4x our previous peak.”
Sen. Marsha Blackburn, R-Tenn., pressed Berchtold on why his company could not handle bots, when critical infrastructure operators and others can frequently detect bots and and handle that kind of web traffic without disruptions to service.
“They get bot attacks every day by the thousands — by the thousands — and they have figured it out, but you guys haven’t?” she said. “This is unbelievable. You ought to be able to get some good advice from some people and figure this out.”
Blackburn also asked for more detail on whether bots could access user data. The company testimony provided to CyberScoop from Live Nation noted that while the bots “failed to penetrate our systems or acquire any tickets, the attack required us to slow down and even pause our sales.”
Blackburn said that Berchtold told her on Monday that the company had a “hard time distinguishing between a bot attack and a consumer.” She told Berchtold that the “local power company down here that is not the billion dollar company you are, they can tell when they’ve got a bad actor in their system. … They figured out how to define a bot in their system but you can’t? Do we need to make certain you have better people around your IT team?”