Melbourne’s most popular annual film festival has suffered a security incident impacting the personal information of nearly 27,000 filmgoers.
On Sunday night, attendees of Melbourne International Film Festival (MIFF) were told that a privacy incident involving its third-party ticketing provider, Ferve, may have affected their personal information.
Impacted customers were told their name, email address, phone number and residential address may have been accessed without authorisation on the Ferve platform.
“We understand that news like this may be concerning, and we sincerely apologise for any worry or inconvenience this incident may cause,” MIFF told affected customers.
MIFF said it “took immediate steps to contain the issue” upon becoming aware of the incident on Friday, while a Ferve spokesperson confirmed Monday there was no evidence of exploitable vulnerabilities in its systems.
"We identified unauthorised access to a specific client system which resulted in the exfiltration of some customer data, and the unauthorised sending of some messages to customers via email and SMS,” a Ferve spokesperson told Information Age.
“There is no evidence of attacks on other client systems.”
MIFF confirmed Monday that precisely 26,782 customer records may have been affected.
The email MIFF sent to affected consumers. Photo: Supplied
Investigations are ongoing at the time of writing, but MIFF was able to confirm that “complete payment card details” could not have been accessed through Ferve, since the platform does not store them in full.
MIFF also found no evidence of account passwords being compromised.
Hackers taunt victims with sad-face emoticon
Upon learning of the incident on Friday, MIFF worked with Ferve to immediately suspend administrator access, block a problem IP address, and disable affected logins.
Despite these containment measures, a threat actor was somehow able to access the system again on Saturday.
As a result, some customers received emails and SMS messages from MIFF’s official communication channels.
.jpg)
If MIFF texts you a sad face, it’s probably a hacker in disguise. Source: Supplied
Information Age understands that rather than conducting phishing scams or further cyberattacks, the hacker simply used the hijacked messaging system to gloat.
On social media, multiple MIFF-goers reported SMS messages that contained nothing more than a simple sad-face emoticon, while others said they received an email message that read “i feel like miley cyrus sometimes”.
.jpg)
Multiple clients received a nonsensical message from an official MIFF email address. Source: @abittershark on X
“We have advised affected customers to remain cautious of unexpected emails or SMS messages that appear to come from MIFF and to avoid clicking links or providing personal information unless they are confident of the source,” MIFF said.
Data for sale, says hacker
Although MIFF identified some 26,782 potentially exposed records – constituting 10 per cent of the company’s database – a post on a popular hacking forum claimed to have acquired data from more than 340,000 customers.
The threat actor claimed other database fields, such as ‘BookingTotal’ and ‘Date Purchased’, were also compromised during the incident.
Visitors of the forum could reach out to the threat actor via encrypted messaging platforms to purchase the purportedly stolen data in exchange for cryptocurrency.
.jpg)
On a popular hacking forum, users had the option to buy allegedly stolen MIFF data for a one-time payment. Source: DailyDarkWeb on X.
MIFF said it was unable to determine the identity of the person or persons responsible for the attack.
I saw a movie, now hackers have my address
Nalin Arachchilage, associate professor in cybersecurity at RMIT University, told Information Age that while no payment details were involved, MIFF’s breach was “far from low risk”.
“People assume they’re safe if their credit card wasn’t exposed,” he said.
“The combination of name, address, email, and phone number is effectively a master key for identity theft and social engineering, and a stepping stone into other systems people rely on every day.”
Arachchilage emphasised that a home address in the wrong hands is “like a physical key” which opens risks “far beyond the digital world”.
“We need to ask a simple question: does attending a film festival require handing over your home address?
“Once the transaction is complete and any legal retention period has passed, the data should be deleted automatically.”
MIFF said it has notified the Australian Signals Directorate's Australian Cyber Security Centre (ACSC), and is continuing to work closely with Ferve to “investigate the incident, secure the platform and understand the scope of any data exposure”.
