While the platform has been accused of exaggerating its subscriber numbers and streaming numbers for Kanye West’s “Life of Pablo” and Beyonce’s “Lemonade” albums — allegations it has strongly denied — the company said in a statement today that “we feel it is important to make sure that our artists, employees, and subscribers know that we are not taking the security and integrity of our data lightly, and we will not back down from our commitment to them.”
CEO Richard Sanders said in a statement: “We reject and deny the claims that have been made by Dagens Næringsliv. Although we do not typically comment on stories we believe to be false, we feel it is important to make sure that our artists, employees, and subscribers know that we are not taking the security and integrity of our data lightly, and we will not back down from our commitment to them.
“When we learned of a potential data breach we immediately, and aggressively, began pursuing multiple avenues available to uncover what occurred. This included reporting it to proper authorities, pursuing legal action, and proactively taking steps to further strengthen our stringent security measures that are already in place.
“Additionally, we have engaged an independent, third party cyber-security firm to conduct a review of what happened and help us further protect the security and integrity of our data. We are proud of the hard work, devotion to our artist driven mission, and tremendous accomplishments of our over one hundred employees in Norway and fifty more in the United States.
“We look forward to sharing with them, and all of our partners, the results of the review once completed.”
Tidal, which has rarely shared its data publicly, had a streaming exclusive on West’s album for its first six weeks of release and continues to be the exclusive streamer for Beyonce’s album. It claimed that West’s album had been streamed 250 million times in its first 10 days of release in February of 2016, while claiming it had just 3 million subscribers — a claim that would have meant every subscriber played the album an average of eight times per day; and that Beyonce’s album was streamed 306 million times in its first 15 days of release in April of 2016.
These claims led the Norwegian paper to investigate the service’s numbers and report that it was intentionally inflating its subscriber count, a report supported by research from British firm Midia, which estimated that Tidal’s total number of subscribers was closer to 1 million globally.
The DN report says that “Beyoncé’s and Kanye West’s listener numbers on Tidal have been manipulated to the tune of several hundred million false plays… which has generated massive royalty payouts at the expense of other artists.” It bases this claim on data contained within a hard drive it obtained that “contains ‘billions of rows of [internal TIDAL data]: times and song titles, user IDs and country codes.” Tidal has disputed the information on the hard drive, but the paper asserts that it matches information received by labels for the time period.
In a statement provided to Variety, Tidal responded: “This is a smear campaign from a publication that once referred to our employee as an ‘Israeli Intelligence officer’ and our owner as a ‘crack dealer.’ We expect nothing less from them than this ridiculous story, lies and falsehoods. The information was stolen and manipulated and we will fight these claims vigorously.” The quotes reference descriptions of Jay-Z and Tidal COO/Roc Nation executive Lior Tibon in a previous Dagens Næringsliv article, which were technically accurate at one time but are decades out of date.
The paper supported its findings with data from NTNU – the Norwegian University of Science and Technology – which it says has “assembled some of Norway’s leading experts in data security and cybercrime prevention.” Its report reads in part, “Using advanced statistical analysis of the data provided by DN, NTNU determined that there had in fact been a manipulation of the data at particular times due to the large presence of similar duplicate records occurring for a large percentage of the userbase that was active at any given time. In reviewing the data, in isolation from any other records or logs, it was not possible to determine the exact means of manipulation; however, the absence of records with unreadable data suggested it was not an external Structured Query Language Injection (SQLi) vector based attacked, but rather manipulation from within the streaming service itself. Due to the targeted nature and extent of the manipulation, it is very unlikely that this manipulation was solely the result of a code based bug or other system anomaly. The following analysis shows in detail why this conclusion is the most likely conclusion and further, the nature and extent it is suspected that the manipulation has affected the accuracy of the data … The manipulation appears targeted towards a very specific set of track IDs, related to two distinct albums,” “Pablo” and “Lemonade.” The report can be viewed here.