Taylor Swift fans were naturally excited for the announcement of her first concert tour since 2018, and Ticketmaster initially blamed a ticket website crash on the “historial” enthusiasm of millions showing up at the time of release. That story appears to have changed now that Live Nation executives have been brought in front of a Senate Judiciary Committee, with the claim now that a small army of bots were both purchasing tickets and attempting to breach the servers simultaneously.
The claim was not well-received by the committee members, who questioned why Ticketmaster had not been prepared for this possibility and noted that competitor SeatGeek did not experience similar issues in selling their share of the tickets.
Ticketmaster blames Taylor Swift mayhem on bot attack
In spite of the technical mishaps, Taylor Swift’s upcoming tour broke the record for ticket sales in a single day by an individual artist. But legions of fans were frozen out during the presale period, as the site either locked up or placed them in queues thousands long that never seemed to move.
The incident created a massive PR disaster for Ticketmaster as complaints became the #1 trending topic on assorted social media sites; this led to a small wave of celebrities piggybacking on the incident by calling for investigation and increased regulation of Ticketmaster. In addition to sparking class action lawsuits, the wave of public outcry led to action by the Senate antitrust panel. On January 24, Ticketmaster executives were called to a three-hour hearing that saw them subjected to intense bipartisan scrutiny.
Ticketmaster possesses about 80% of the ticket market for live concerts, and critics argue that it holds an anticompetitive position and that its dominant position gives it leeway to mistreat customers in situations such as these. The testimony of Ticketmaster executives to the Senate was that it had anticipated demand and had even prepared for the possibility of bot attacks, but that it saw three times the amount of bot traffic it ever had before once the Taylor Swift tickets went on sale and that its “Verified Fan” access code servers were attacked by hackers for the first time ever. Ticketmaster blamed advanced scalper and hacker technology and techniques, claiming that the bot attack was more than it could realistically keep up with. However, the executives did not elaborate on exactly what anti-bot measures they were using during the testimony.
Some of the senators pressed on that point, however, noting that Ticketmaster’s largest competitor SeatGeek was able to sell tickets to 52 upcoming Taylor Swift concerts without experiencing similar issues. They also noted that other websites field thousands of bot attacks daily without service disruptions.
Bot attack was legitimate, but questions remain about Ticketmaster’s role
Independent security researchers have verified that Ticketmaster did indeed experience a heavy bot attack during the ticket sale, not a surprising development given that “scalper bots” have been an ongoing problem for over a decade now. One analysis found that Ticketmaster should have anticipated about 3.5 million purchases by pre-registered fans during the initial sale period, but that the company saw closer to 10 times that amount of attempts by bots in the opening hours.
The central question is whether Ticketmaster implemented an appropriate level of bot filtering defenses for the anticipated load, and if it did not, was the security shortcoming caused by its dominant market position in some way due to a lack of motivation or impetus to improve. In addition to providing little testimony on its security posture, company testimony did not really address exactly what kind of hacking attempts it was fielding during the bot attack. The company has also not named any suspects as of yet.
Ticketmaster’s current level of market dominance is traced back to the 2010 merger with Live Nation, which is now its parent company. The companies have drawn antitrust scrutiny since that merger happened, required to comply with a Department of Justice decree that prevents the companies from acting to stifle competitors. The relatively swift action on this issue is owed in part to that ongoing status, and in part to the fact that attacking the company is politically popular on both sides of the aisle.
The issue of bot attacks on ticketing systems has been addressed by legislation before; the 2016 BOTS Act, which outlawed the resale of tickets purchased via bots and creates some hefty per-instance fines for violation. However, critics point out that the act has only been used for an enforcement action once and that much of this bot activity is directed from overseas.
Sam Crowther, founder and CEO at Kasada, thinks that focusing on regulation is much less productive than focusing on awareness and defensive measures: “Better enforcement of the BOTS Act won’t solve the problem for Ticketmaster and thousands of other online businesses. Attackers are driven by money – and the use of bots has proven to be a quick, and effective way to acquire and resell goods for huge profits. Whenever there’s a profit to be made, bots will follow. People underestimate how much bot operators have evolved and how lucrative it has become; at a $1,000 profit per seat, reselling 20,000 seats means a financial gain of $20 million, just for a single show. Bots are not as easy to stop as many outside the industry assume. Attackers understand the defenses that retailers use and actively take steps to work around them, constantly changing their attack methods to stay a step ahead. It takes dynamic – not static – approaches to properly counter the threat while undermining the profit that can be made.”