Cyber thieves got into more than 1,000 StubHub customers’ accounts and fraudulently bought tickets for events through the online ticket reseller, a law enforcement official and the company said.
Arrests were expected in a case that sprawled across international borders, said the official, who wasn’t authorized to discuss it ahead of arrests being announced and spoke on the condition of anonymity.
Manhattan District Attorney Cyrus R. Vance Jr. was expected to hold a news conference Wednesday with London and Royal Canadian Mounted Police officials. A spokeswoman for Vance’s office declined to comment Tuesday night on the case, which comes amid growing concern about data thieves targeting retailers and other consumer giants.
StubHub, which is based in San Francisco, said that the thieves didn’t break through its security – rather, they got account-holders’ login and password information from data breaches at other websites and retailers or from key-loggers or other malware on the customers’ computers, spokesman Glenn Lehrman said.
The company detected the unauthorized transactions last year, contacted authorities and gave the affected customers refunds and help changing their passwords, he said.
It’s unclear whether the digital prowlers then exploited their access to scoop up more information from the compromised accounts. The company and the law enforcement official wouldn’t give further details Tuesday.
StubHub, owned by eBay Inc., is the leading digital marketplace for reselling concert, sports, theater and other tickets, offering brokers and fans a way “to buy or sell their tickets in a safe, convenient and highly reliable environment,” as its website pledges. The company, which serves as an official secondary ticket market for such entities as Major League Baseball, this spring unveiled plans to become an event producer itself, selling tickets to a handful of its own concerts.
In the last year, major companies such as Target, LinkedIn, eBay and Neiman Marcus have been hacked. Target, the nation’s second-largest discounter, acknowledged in December that data connected to about 40 million credit and debit card accounts was stolen as part of a breach that began over the Thanksgiving weekend. Even Goodwill Industries Inc. found itself announcing last month that shoppers’ payment card data might have been stolen.
Ticket-sellers also have been targeted. The event ticketing service Vendini last month settled a class action lawsuit related to a data breach in 2013.
Since many people use the same passwords at multiple retailers, hackers who get hold of a password for one site often try it at another, Lehrman said.
Authorities generally advise consumers to protect against possible identity theft from such breaches by keeping close watch on their bank statements and using credit card monitoring services, among other tips.