Attendees of Melbourne’s most popular film festival will no longer need to provide a postal address when buying tickets after a recent data breach motivated the company to reduce its data collection practices.

Data breach responses tend to follow a predictable playbook: contain the incident, announce what was leaked, and secure your systems to mitigate the chances of a similar breach happening again.

Melbourne International Film Festival (MIFF), however, has taken this process one step further by announcing it will no longer demand a physical address from filmgoers.

“We have simplified our ticketing processes,” MIFF told customers over the weekend.

“Address details will no longer be required for future ticket purchases and credit card processing.”

The company suffered its security incident in late May, when a hacker gained access to a system which held the personal details of roughly 27,000 filmgoers.

Among the affected data was ticket holders’ and members’ names, phone numbers, email addresses, and residential addresses.

Although no payment card details or passwords appear to have been compromised, Niusha Shafiabady, director of the Women in AI for Social Good lab at Australian Catholic University, said MIFF’s newly announced data cutback was a “good and sensible decision”.

“Of course, organisations need to check their systems, review their vendors, and improve security controls,” Shafiabady told Information Age.

“But they also need to ask a more basic question: why were we collecting this information in the first place?

“The less unnecessary personal information an organisation collects, the less information there is to lose, leak or misuse.

“If address details are not genuinely needed for buying a ticket or processing a payment, then removing that requirement is the right thing to do.”

An opportunity to rethink data

In a statement to Information Age, MIFF chief executive Damien Hodgkinson said although the company was “extremely disappointed” by last month's incident, it had used it as an “opportunity to reset how we think about data”.

“Too often, organisations continue to collect information by default rather than by necessity,” said Hodgkinson.

“Going forward, our approach is simple: if we don't still need a particular detail to deliver the MIFF experience, we won't be asking for it."

It was initially believed some 26,782 customer records held in third-party ticketing platform Ferve were impacted, though MIFF notified an additional tranche of affected customers over the weekend.

MIFF notified “additional individuals whose information was involved” via email. Source: Supplied

Following the incident, a post on a dark web forum advertised the sale of an alleged dataset related to more than 340,000 customers.

MIFF has also confirmed “the party responsible for the incident” published a set of customer information online.

The company has notified the Office of the Australian Information Commissioner (OAIC), the Australian Cyber Security Centre (ACSC) and Victoria Police.

A ‘rare’ commitment

Blaine Hattie, principal at Sutton Laurence King Lawyers, told Information Age MIFF’s response had “set a good example” for Australian data breaches.

Hattie said public commitments to collect less data are “rare in Australia” – where most recent major breaches have followed a consistent pattern of harm occurring after information was “kept long after any need for it had passed”.

He added that recent legislative changes have altered the economics of holding personal information.

In 2022, landmark data breaches at Optus and Medibank motivated significant privacy law changes that bumped the maximum penalty for serious privacy breaches from roughly $2.2 million to $50 million or more.

Hattie explained that since then, individuals have gained a direct right to sue for serious invasions of privacy; the privacy regulator has gained access to mid-tier penalties for less serious privacy breaches; and last October, the Federal Court ordered the first-ever civil penalty to be handed down for breaches of the Privacy Act.

“The practical effect is that every record an organisation holds now carries regulatory, litigation and reputational exposure,” said Hattie.

“Boardrooms are starting to view data retention as a serious hazard and holding less data is the cheapest way to reduce exposure.”

Shafiabady added that MIFF’s decision “could set a useful precedent”.

“MIFF’s response goes beyond the usual language of ‘we take privacy seriously’,” she said.

“The precedent here is not simply that organisations should apologise or notify affected customers.

“The precedent is that they should learn from the breach and change their data practices.

“If other organisations follow this approach, it could help shift breach response in Australia from damage control to genuine reform.”