Peter A Clarke

I was long an avid attender of the offerings of the Melbourne International Film Festival (“MIFF”) over a 2 1/2 week period. When I started attending tickets were printed out and the program was an insert in the Age and at the box office. No longer. It is all very digital now. And the MIFF has a large database, which included my details. On Monday the MIFF emailed me about a privacy incident. It has apparently affected 26,000 customers.  The means of access was through a third party provider, here a ticketing platform.

The email stated:

We are writing to inform you of a privacy incident that has affected the personal information of a small proportion of MIFF customers.

If you did not receive a separate notification email, your information was not affected.

We understand that news like this may be concerning, and we sincerely apologise for any worry or inconvenience this incident may cause. Protecting the information entrusted to us is extremely important, and we are taking this matter very seriously.

What happened

On 29 May, MIFF’s ticketing provider, Ferve, identified unauthorised access to its ticketing system. As soon as the activity was detected, access to the system was temporarily suspended while investigations commenced.

On 30 May, further unauthorised access to the Ferve ticketing system occurred, and some customers received emails or SMS messages sent directly through the system without authorisation.

MIFF and Ferve are continuing to investigate the incident, determine the full scope of the impact and implement additional security measures to help prevent a similar incident from occurring in the future.

Importantly, no credit card information or MIFF account passwords were accessed.

What information may have been affected?

Our investigation indicates that the personal information involved may include:

• Name
• Email address
• Phone number
• Residential address

At this stage, we have no evidence that any other categories of personal information were affected.

As a precaution, we recommend that you:

• Be cautious of unexpected emails, text messages or phone calls asking you to provide personal information or click on links.
• Avoid sharing passwords, verification codes, banking information or other sensitive information unless you are certain of the identity of the person or organisation contacting you.
• Monitor your accounts and communications for any unusual activity.
• Consider changing your password as a precautionary measure if you use the same password across multiple online services.

If you are concerned about the risk of identity fraud, you may contact IDCARE, Australia’s national identity and cyber support service:

IDCARE
Phone: 1300 432 273
Website: www.idcare.org

Further information about protecting your personal information following a data breach is available from the Office of the Victorian Information Commissioner.

What we are doing

We have taken steps to contain the incident and are continuing to work closely with Ferve to investigate the cause and impact of the unauthorised access.

MIFF has notified the Australian Signals Directorate’s Australian Cyber Security Centre and is working through all relevant regulatory and reporting obligations as our investigation continues.

We will continue to keep affected customers informed as our investigation progresses.

Contact us

If you have any questions or concerns, please contact us at: miff@miff.com.au

We sincerely apologise for this incident and thank you for your patience and understanding while our investigation continues.

It is not a bad notification.  It identifies when the breach happened and what was being done.  That puts the notice far ahead of many notices in Australia.  

Because I did not receive a separate second email my details were no affected.  Interestingly it has been a very long time since I attended a MIFF event.  Given I am happy to be kept informed about what has happened the use of my data was not excessive and should not have been removed.  

The hackers have used the contact details to send humorous, to some, texts.  That is concerning but a lot less damaging than credit card details.  It is intrusive though.  

Access via third parties is a chronic problem and one that does not attract enough attention. Too many third party providers have inadequate data security and the primary collector of the information often does little to ensure standards are of a sufficient standard. 

The ABC has reported on the MIFF data breach with Melbourne International Film Festival customers’ data leaked via Ferve platform.

The story provides:

Melbourne International Film Festival (MIFF) customers have received strange texts and emails after a data leak linked to the event’s third-party ticketing system.

The information of more than 26,700 customers may have been affected after unauthorised access to information on the Australian-owned ticketing platform Ferve.

This represents approximately 10 per cent of the festival’s total database.

Some customers have reported being texted sad face emojis and emailed about Miley Cyrus.

One email reportedly from the film festival titled “Critical Security Incident” simply said: “i feel like miley cyrus sometimes.”

MIFF said they became aware of the issue on Friday, May 29 and some customers started to receive messages sent through the Ferve system on Saturday.

“[We] took immediate steps to contain the issue, working with Ferve to suspend access to the affected accounts and implement additional security measures,” a MIFF spokesperson said.

“Our investigation indicates that certain customer personal information may have been accessed, including names, email addresses, phone numbers and residential addresses.”

According to MIFF, Ferve does not store complete credit card information and no account passwords were compromised.

“We have advised affected customers to remain cautious of unexpected emails or SMS messages that appear to come from MIFF and to avoid clicking links or providing personal information unless they are confident of the source,” a spokesperson said.

They said the investigation into how the breach occurred was ongoing and that the Australian Cyber Security Centre had been notified.

The film festival is an annual event in Melbourne, with this year’s dates scheduled for August 6 to 23.

It uses the ticketing platform Ferve, which services many other festivals and venues around Australia and abroad.

Ferve’s website states that numerous other Australian festivals use its services, including the Sydney Fringe Festival, Sydney Film Festival and Melbourne Writers Festival.

The ABC has contacted Ferve for comment.