Full Report
Two people were arrested in New York City after allegedly using backend access to StubHub’s system to steal the URLs for 900 concert tickets, most of which were for Taylor Swift’s popular Eras Tour.
Analysis Summary
# Incident Report: Insider Ticket URL Theft and Resale Scheme
## Executive Summary
This incident involved insider threats leveraged through a third-party contractor (Sutherland Global Services - SGS) with backend access to StubHub's system. Two individuals used this access over an 11-month period to steal URLs for nearly 1,000 event tickets, predominantly for Taylor Swift's Eras Tour, and resold them for a profit of approximately \$635,000. StubHub discovered the activity, reported it, and the perpetrators were subsequently arrested by the Queens District Attorney’s office.
## Incident Details
- Discovery Date: Sometime between June 2022 and July 2023 (discovery date not precisely specified, but the scheme ended in July 2023).
- Incident Date: June 2022 - July 2023
- Affected Organization: StubHub (via contractor Sutherland Global Services - SGS)
- Sector: E-commerce / Ticketing Services
- Geography: System access leveraged offshore (Jamaica), data forwarding and arrests occurred in Queens, New York City.
## Timeline of Events
### Initial Access
- Date/Time: Initiated around June 2022.
- Vector: Exploitation of backend system access granted to an employee of SGS (a StubHub contractor).
- Details: Tyrone Rose and an accomplice, working for SGS in Kingston, Jamaica, navigated to a secure area of the network where sold ticket URLs were generated and queued for purchaser email delivery.
### Lateral Movement
- Details: The primary movement was privilege/location-based, moving within the secure backend infrastructure of StubHub's systems to identify newly generated ticket URLs. The stolen URLs were then redirected to co-conspirators in Queens, NY (Shamara Simmons and a deceased accomplice).
### Data Exfiltration/Impact
- Details: 993 stolen ticket URLs (from ~350 orders) were exfiltrated and redirected. These tickets, including high-demand events like the Eras Tour, Adele, Ed Sheeran, NBA games, and US Open tennis, were downloaded and resold on StubHub for approximately \$635,000 in illicit profit.
### Detection & Response
- Date/Time: Scheme concluded/reported around July 2023.
- Details: StubHub discovered the scheme and referred the case to the Queens DA's office. StubHub also reported the issue to the third-party vendor (SGS) and Jamaican law enforcement.
- Response actions taken: The employees involved were promptly fired from SGS. Legal action was initiated resulting in the arrest and arraignment of Rose and Simmons in New York.
## Attack Methodology
- Initial Access: Exploitation of legitimate, but abused, contractor access credentials within a secure backend ticketing system.
- Persistence: (Inferred) Continued use of the contractor role privileges within the SGS environment to maintain access to the necessary systems over the 11-month period.
- Privilege Escalation: Not explicitly detailed as traditional privilege escalation, but rather leveraging pre-existing, though abused, access to a secure, high-value area of the network.
- Defense Evasion: Exploiting a perceived "loophole" related to ticket URL staging within the offshore vendor's access point.
- Credential Access: Not applicable; access was granted via authorized employment roles.
- Discovery: Attacker reconnaissance focused on finding where finalized ticket delivery URLs were staged.
- Lateral Movement: Redirecting generated URLs from legitimate purchaser emails to co-conspirators' emails.
- Collection: Identifying and capturing the unique ticket download URLs before they were distributed.
- Exfiltration: The download of the ticket barcodes/credentials (via the stolen URL) and subsequent resale.
- Impact: Financial gain through fraud and deprivation of legitimate ticket holders.
## Impact Assessment
- Financial: Approximately \$635,000 in illicit profits for the attackers. Costs associated with investigation and potential liability for StubHub are undisclosed.
- Data Breach: Confidential transaction data (ticket order details and unique download URLs) were compromised.
- Operational: No direct operational impact on StubHub's main public-facing platform was reported, but integrity of the fulfillment process was severely compromised.
- Reputational: Negative press surrounding ticket theft targeting high-profile events like the Eras Tour.
## Indicators of Compromise
*Note: Specific IoCs were not detailed in the report.*
- Network indicators: (Suspected) Traffic originating from SGS network IP ranges accessing internal StubHub URL generation endpoints outside normal operational parameters.
- File indicators: Stolen ticket URLs/barcodes.
- Behavioral indicators: Unusual URL redirection patterns targeting emails associated with non-purchasers in Queens, NY.
## Response Actions
- Containment measures: Immediate termination of access for the involved SGS employees.
- Eradication steps: The specific system process or "loophole" abused by the attackers was likely reviewed and mitigated by StubHub/SGS.
- Recovery actions: Not explicitly detailed, but presumed to involve canceling compromised tickets, refunding original purchasers (if impacted), and hardening the URL staging process. (The perpetrators were arrested).
## Lessons Learned
- Insider risk from third-party vendors, even those providing back-office support, poses a significant threat if their network access is not strictly segmented and monitored.
- The process for generating and staging final delivery URLs in secure environments requires end-to-end monitoring to detect redirection or interception.
- Remote access granted to offshore contractors must be subject to the same stringent supervision as direct employee access.
## Recommendations
- Implement stringent Zero Trust access models for all third-party contractors, limiting access strictly to the minimum required functions.
- Enhance logging and alerting on any redirection or modification of data egress points (like queued email deliveries or URL generation endpoints).
- Conduct immediate, comprehensive security audits of all third-party vendor environments integrated within the ticketing fulfillment pipeline.