Cyber thieves got into more than 1,000 StubHub customers' accounts and fraudulently bought tickets for events -- from Yankee games to Jay-Z concerts -- through the online ticket reseller in a $10 million international rip-off scam, officials said Wednesday.
Manhattan District Attorney Cy Vance announced charges against an Upper East Side man and a New Jersey man, as well as suspects in Russia, London and Canada, in the case Wednesday afternoon.
The suspects pleaded not guilty to the charges in a Manhattan court Wednesday. Daniel Petryzyn, of the Upper East Side, is a graduate of Penn State and worked for a food caterer, authorities say. He is being held on $2 million bond.
The New Jersey man, Bryan Caputo, is a graduate of Montclair State University and lives in Hudson County, according to authorities. His lawyer said he did not know the tickets he was moving were stolen. He is being held on $250,000 bond.
According to investigators, hackers used malware or hacked other websites to obtain login information for StubHub users' accounts and used credit cards on file with the online ticket company to buy tickets to concerts and sporting events, including to Justin Timberlake and Jay-Z concerts, Yankee games and Broadway shows. They then allegedly used runners to resell the tickets before unsuspecting customers knew their accounts had been compromised.
Since customers often use the same password information at multiple sites, the hackers apparently had an easy time getting access to some users’ Stubhub accounts, authorities say.
Dozens of times a day, the suspects allegedly pretended to be actual StubHub users and bought and downloaded tickets they would then transmit to runners for resale. The millions in sales were shared and laundered overseas to ringleaders in Russia, according to investigators.
StubHub, which is based in San Francisco, said that the thieves didn't break through its security like the thieves did in the case of the Target data breach, for example. Rather, they got account-holders' login and password information from data breaches at other websites and retailers or from key-loggers or other malware on the customers' computers, the company said.
It was a StubHub security team that first alerted the district attorney's office in Manhattan and U.S. Secret Service about the criminal hacking operation that dates back to 2012.
"Our customers are our number one priority," StubHub said in a statement Wednesday. "Once fraudulent transactions were detected on a given account, affected customers were immediately contacted by StubHub's Trust and Safety team and refunded any unauthorized transactions."
StubHub, owned by eBay Inc., is the leading digital marketplace for reselling concert, sports, theater and other tickets, offering brokers and fans a way "to buy or sell their tickets in a safe, convenient and highly reliable environment," as its website pledges. The company, which serves as an official secondary ticket market for such entities as Major League Baseball, this spring unveiled plans to become an event producer itself, selling tickets to a handful of its own concerts.
In the last year, major companies such as Target, LinkedIn, eBay and Neiman Marcus have been hacked. Target, the nation's second-largest discounter, acknowledged in December that data connected to about 40 million credit and debit card accounts was stolen as part of a breach that began over the Thanksgiving weekend. Even Goodwill Industries Inc. found itself announcing last month that shoppers' payment card data might have been stolen.
Ticket-sellers also have been targeted. The event ticketing service Vendini last month settled a class action lawsuit related to a data breach in 2013.
Authorities generally advise consumers to protect against possible identity theft from such breaches by keeping close watch on their bank statements and using credit card monitoring services, among other tips.