Pandemonium Rocks festival reveals ticket buyer’s personal data

The Pandemonium Rocks live music festival currently running on Australia’s east coast has exposed the personal data of fans seeking refunds.

With seven of the 13 acts on the originally promoted bill no longer being part of the festival, fans who have been applying for partial refunds are reported to have had names, email addresses, mobile numbers and bank account details of other ticket buyers appear on their screen.

Guardian Australia has reported a Mackay couple who had spent more than $2,000 on concert tickets, air fares and hotel accommodation for the Gold Coast edition of the festival who had gone through the process of applying for partial refund application, which would have recouped $140 of her outlay of $516 for two tickets.

When doing this, the names, email addresses, mobile numbers and bank account details of more than 100 strangers filled her screen. An hour later, on the evening of 19th April, she could see the personal details of more than 500 people, including her own.

Festival organisers then took more than 90 minutes to realise the issue, which resulted from an ‘admin tab’ on the Google form they were using having been left open.

Late the following morning, Pandemonium posted a message on its Facebook page confirming a data breach took place on Friday between 5.47pm and 7.20pm.

Its statement advised “all people within the timeframe who filled the form will be contacted by Pandemonium directly asap to notify them that their data was made public during that window and to advise their banks to update their information.

“We are sincerely sorry for the angst this has caused.”

The ticket buyers reference by The Guardian said they had not been contacted by the festival organisers, and none said they had received any refund.

On Pandemonium’s Facebook page, some users have described being unable to message organisers via the platform.

This followed the organisers posting on 22nd March that “due to reckless reporting, and the wilful proliferation of misinformation, rumours and conspiracy surrounding the festival, we are turning comments off on our social media (for now)”.

Under the Notifiable Data Breaches scheme covered by the Australian Privacy Act, an organisation that is subject to the act and suspects a data breach may have occurred must notify the people affected and the Office of the Australian Information Commissioner (OAIC) as soon as possible.

As of Tuesday, Pandemonium’s organisers, One World Entertainment, had not reported the breach to the Commissioner.

An OAIC spokesperson told The Guardian that it was seeking further information from the company, including whether it records an annual turnover of more than $3 million, which would make reporting data breaches to the commissioner mandatory.

The Pandemonium Rocks festival encompassed five concerts spread across six cities, with tickets initially ranging from $250 to $650, then dropped to $190 for a standard ticket after the sudden program change.

More than 8,000 people attended the first concert in Melbourne last Saturday, where the modified lineup included Alice Cooper, Blondie, the Psychedelic Furs and Wheatus.

It has continued this week in Sydney and with a ‘side show’ in Newcastle.

NSW Fair Trading has confirmed that since 13th February it has dealt with 53 complaints about Pandemonium refunds while Consumer Affairs Victoria said in a statement it “does not comment on individual businesses”.

A NSW Fair Trading spokesperson said consumers were entitled to refunds when an event organiser “chooses to cancel or makes a major change to an event”.

With a major change potentially including a headline act, it added “NSW Fair Trading is thoroughly assessing all complaints received so far and has contacted Pandemonium Rocks Festival requesting response to several matters.

Image: Veteran rock entertainer Alice Cooper is one of the headline acts at Pandemonium Rocks. Credit: Shutterstock/A.PAES.