AXS is one of the two ginormous as the digital gatekeepers for millions of fans seeking access to the musical performances in the world’s most iconic arenas, theaters, and stadiums. They’re second in size only to Ticketmaster, and this powerful position means that live performance enjoyers are forced to trust them with our financial and personal data.
Yet despite their massive market dominance, AXS is systematically compelling its customers to transmit their most sensitive government-issued identification through one of the internet’s least secure channels: unencrypted email.
Ironically, all of this is being done allegedly in the name of customer privacy and data protection.
It’s a structural failure that externalizes security risks directly onto the consumer. Please read on for more details.
Anatomy of a Failure
A review of a standard customer support interaction (attached at the bottom of this email) exposes a workflow seemingly engineered to create user friction and data vulnerability.
The protocol for basic account maintenance like changing the email address and phone number on file unfolds as a series of bureaucratic escalations which culminate in a dangerous (dangerous for us, the consumers) security demand.
- Initial Barrier: The system doesn’t allow a simple update to change our contact information. Instead, AXS requires the user to create a completely new, separate account, after which the company will “look into the steps” required to merge them. Pure annoyance.
- Escalation to Insecure Verification: To change the phone number used for two-factor authentication (one of the most basic security features in the world) AXS demands the user surrender a photograph of their government-issued ID.
- Mandated Insecurity: The sole method provided for transmitting this sensitive document is a generic, unsecure email address (
documents@axs.com). Email is a notoriously insecure protocol for transferring sensitive data, vulnerable to interception and data breaches. - Refusal of Secure Alternatives: When the customer identifies the profound security risk of this method and explicitly requests a secure upload portal (a standard feature for any security-conscious organization) the support agent deflects. The agent states that sending a government ID over email is the company’s official “guidance.”
- Systemic Stonewalling: The agent ultimately terminates the support session without resolution, stating they have “maximized the tools and resources available.” This confirms the insecure process is not an agent’s ad-hoc decision but a rigid, non-negotiable company policy, leaving the user unable to secure their account without complying with the hazardous directive.
The Consequences
The ripple effects of such a policy extend far beyond a single frustrated customer like myself, revealing a corporate disregard for foundational data protection principles.
The Data Security Paradox
The central failure is a system that claims to enhance security while actively undermining it. By demanding government IDs be sent via email, AXS creates a centralized honeypot of highly sensitive Personally Identifiable Information (PII).
A single breach of this email inbox could expose thousands, if not millions, of customers to the risk of identity theft. The very process designed to “keep you and this account safe” becomes a vector for catastrophic data exposure. This practice runs counter to basic cybersecurity standards that have been commonplace for over a decade.
We all know that data breaches are commonplace. I have an entire section of this website dedicated to stories of corporations who requested private information from their customers, only to immediately fumble them to cybercriminals.
The Erosion of Trust
The protocol demonstrates a systemic dismissal of legitimate customer security concerns. When a user correctly identifies a major security flaw in the company’s process, they are not met with reassurance or a solution, but with canned responses and a refusal to deviate from the flawed script.
This communicates that the company’s internal policy takes precedence over genuine user safety. Trust in an institution is shattered when its claims of protection are directly contradicted by its actions, forcing users to become their own risk assessors against the very company they are entrusting with their data.
Accountability & The System
The official response, as demonstrated in the screenshots of my chat with their customer support, is to enforce the broken system. The “punishment” is levied not on the corporation for its negligent policies, but on the user, who is left with a locked account and a demand to compromise their own security.
Meaningful accountability in the case of AXS would be the immediate cessation of this hazardous practice and the implementation of industry-standard security measures, such as a secure document portal.
This case is a brilliant illustration of what’s known as “security theater,” where corporations perform will the illusion of safety while engineering systems that place the burden of risk squarely on the shoulders of their customers.
The true failure then, is a corporate mindset which views customer data as a liability to be managed rather than an asset to be protected.
I published a story on AXS’s parent company AEG several months ago, about how their exclusivity contracts are ruining live performances for everyone. Also their CEO is a massive hater of the LGBTQ fun fact: https://evilcorporations.com/anshutz-entertainment-group-radius-contracts-aeg-philip/
Explore by category
Product Safety Violations
When companies sell dangerous goods, consumers pay the price.
View Cases →Financial Fraud & Corruption
Lies, scams, and executive impunity that distort markets.
View Cases →Related posts:
How J.P. Morgan Chase’s Data Breach Exposed Its Workers
35,000 people had their personal data leaked including social security numbers, drivers license details, and health insurance info | CSC ServiceWorks
Disney’s Failure to Safeguard Sensitive Information
Siri is spying on your conversations | Apple Pays $95 Million Privacy Settlement
