Business News Digital Legal Live Business

US judge dismisses lawsuit over the big Ticketfly data hack

By | Published on Wednesday 5 June 2019


A judge in Cook Country, Illinois has dismissed the class action lawsuit that was filed against Eventbrite over last year’s Ticketfly hack, though the claimants have until 9 Jul to file an amended complaint.

The website of US-based ticketing firm Ticketfly went offline around about this time last year following a hacking of its servers the previous month. At the time the company said that “following a series of recent issues with Ticketfly properties, we’ve determined that Ticketfly has been the target of a cyber incident”.

It went on: “Out of an abundance of caution, we have taken all Ticketfly systems temporarily offline as we continue to look into the issue. We are working to bring our systems back online as soon as possible. Please check back later”.

It was subsequently confirmed that, while no credit or debit card information was accessed during the big hack, other personal information linked to about 27 million Ticketfly accounts had been taken. Vice’s tech site Motherboard also reported that the person behind the hack had claimed to have previously warned the ticketing set-up of a vulnerability on its platform, but that the hacker’s warnings had gone unheeded.

The lawsuit followed in October and targeted Eventbrite, which acquired Ticketfly in 2017. The ticketing firm then formally responded in March seeking to have the case dismissed.

It argued that the plaintiffs had failed to prove that they had actually bought tickets from Ticketfly, the rest of the Eventbrite platform being unaffected by the hack. Plus, Eventbrite’s lawyers argued, the lawsuit failed to explain why – even if the claimants had been directly impacted by the data grab – that had resulted in tangible harm.

According to Law360, judge Michael T Mullen basically concurred with Eventbrite’s criticisms of the class action this week. Dismissing the lawsuit as it currently stands, he said that the plaintiffs need to explain what specific contract they had with the ticketing company that had been breached and how the data hack had caused “concrete injury”.

On the latter point, Mullen ruled that the plaintiffs having to monitor their credit cards and bank accounts for any future fraud resulting from the hack was not sufficient. He remarked “you’re only talking about potential harm”.

It remains to be seen if the plaintiffs can deal with those issues in an amended lawsuit. If they do, Eventbrite already has another come-back prepared, to the effect that the litigation should have been filed in California not Illinois. The judge said he’d consider that argument if and when a second lawsuit is filed.