MIFF Data Breach: How a Shared Ticketing Platform Put 27,000 Australian Customers at Risk

A breach via the Ferve ticketing platform has confirmed 26,782 Melbourne International Film Festival customer records exposed — with a threat actor claiming the real figure exceeds 340,000 and the stolen data is now being offered for sale on underground forums.

Disclosure: This post contains affiliate links. We only recommend tools we've researched and trust. If you purchase through our links, we may earn a commission at no extra cost to you.

What Happened: The Timeline of the MIFF Ferve Breach

On the evening of 29 May 2026, the Melbourne International Film Festival became aware that an unauthorised party had gained access to its ticketing platform, operated by the Australian company Ferve. A second access event was identified the following day, 30 May, and MIFF issued a public statement on 31 May confirming the breach and its initial scope.

In a notification published on its website, MIFF confirmed that the incident had impacted 26,782 sets of customer records. The personal information potentially exposed included:

• Full names
• Email addresses
• Phone numbers
• Residential addresses

MIFF was clear about what was not taken: Ferve does not store full credit card details, and no account passwords were exposed in this incident. That distinction matters — but it does not mean affected customers are off the hook. The combination of name, email, phone, and physical address is exactly the profile a phishing attacker needs to craft a convincing, personalised approach.

Some customers discovered the breach before MIFF's statement was released. The attacker sent unauthorised emails and text messages to victims using the compromised data, including a bizarre "Critical Security Incident" email containing only the phrase "i feel like miley cyrus sometimes." Whether this was misdirection, a test of access, or simply erratic behaviour remains unclear — MIFF's investigation is ongoing as of the date of this article.

MIFF has notified the Australian Signals Directorate's Australian Cyber Security Centre (ASD's ACSC) and has stated that it is working through all relevant regulatory and reporting obligations. Under Australia's Notifiable Data Breaches (NDB) scheme, organisations that hold personal information and experience an eligible data breach must notify both the Office of the Australian Information Commissioner (OAIC) and affected individuals without unreasonable delay. Given the scope — nearly 27,000 individuals — a formal NDB notification is expected.

Affected customers have been advised to stay alert to unexpected communications, avoid clicking unsolicited links, and avoid providing personal or financial information unless they can independently verify the sender.

One Platform, Multiple Festivals: Why the Ferve Breach Has a Wider Reach

The MIFF breach is not simply a story about one festival's IT mishap. Ferve is a Sydney-based ticketing and event management platform that serves a range of prominent Australian cultural events — including the Sydney Film Festival, Sydney Fringe Festival, and Melbourne Writers Festival. That position as a shared platform provider means the same underlying infrastructure vulnerability could have implications for customers of any event that relies on Ferve's systems.

MIFF's confirmed count of 26,782 affected records is the festival's own verified figure — the number of its customers whose data was within scope of the breach. What that count does not tell us is the full scope of the Ferve platform's customer database. A threat actor operating under the handle "2019" posted a dataset to a prominent underground forum, claiming it contained records relating to more than 340,000 customers and members allegedly linked to MIFF and the broader Ferve ecosystem. The post offered the data for sale.

Independent dark web monitoring accounts, including Dark Web Informer and Daily Dark Web, reported the forum listing publicly. The discrepancy between MIFF's confirmed 26,782 records and the threat actor's claimed 340,000+ is significant. It could mean:

• The attacker accessed a wider Ferve database covering multiple events, not just MIFF's own customer slice
• The threat actor's claim is inflated to command a higher sale price — a common tactic on underground forums
• MIFF's figure represents the data directly linked to confirmed access events, while additional records may have been taken through means not yet identified in the investigation

Until Ferve publishes its own assessment of the full platform impact — or the OAIC's investigation concludes — the true scale remains unconfirmed. Other Ferve-powered festivals have not yet issued their own breach notifications at the time of writing. If you have purchased tickets through any Ferve-powered event in the past several years, it would be reasonable to treat your contact details as potentially exposed until further guidance is published.

The incident also illustrates a structural risk that often goes underappreciated: when you buy a ticket to an Australian arts event, you may not be handing your data to the festival itself — you are handing it to whichever third-party ticketing vendor that festival has contracted. The festival's brand is on the ticket, but the data sits in someone else's system.

The Threat Actor, the Hampr Connection, and What This Pattern Suggests

A prolific actor targeting Australian organisations

The threat actor using the handle "2019" did not stop with MIFF. On 31 May 2026 — two days after the MIFF breach surfaced — the same actor posted an alleged dataset from Hampr, an Australian workplace catering and food management platform headquartered in Sydney. The claimed Hampr leak contains more than 360,000 records, and unlike MIFF's incident, this dataset was reportedly published free of charge rather than listed for sale. Hampr's customers include corporate names such as Nespresso, CBRE, and Cisco.

According to Cyber Daily's exclusive reporting, the threat actor "2019" has been active on the forum since at least February 2026 and has shared data from at least 20 Australian victims across 20 separate posts. Australia is their most targeted country, followed by Spain, the United Arab Emirates, and the United States. That level of focus suggests a deliberate strategy rather than opportunistic scanning — this actor is specifically interested in Australian organisations and their data.

What the stolen data enables

When people hear that passwords and credit card details were not taken, there can be a tendency to dismiss the incident as minor. That framing misunderstands how modern social engineering and phishing campaigns actually operate.

A dataset containing name, email, phone number, and residential address for tens of thousands of Australians is genuinely valuable to attackers for several reasons:

• Targeted phishing: An email that addresses you by name, references your suburb, and arrives from a domain superficially similar to MIFF or a bank carries a far higher click-through rate than a generic mass-phish. Attackers layer purchased data to personalise their lures.
• Phone scams (vishing): Knowing a target's name, number, and address allows a caller to impersonate a bank, the ATO, or a government agency with enough detail to be plausible. The ACSC consistently identifies vishing as a high-volume threat to Australians.
• Credential stuffing preparation: Even without passwords from this breach specifically, attackers cross-reference email addresses against other leaked credential databases. Your MIFF email is almost certainly present in at least one of the major historical password dumps circulating on dark web markets.
• Account takeover via social engineering: Armed with personal details, attackers can approach service providers (telecommunications companies, financial institutions) and attempt identity verification to take over accounts.

MIFF's own investigation

The festival has been transparent about the breach within the limits of what its investigation has established so far. Its response — notifying ACSC, advising customers to be vigilant, and publishing a statement — represents the baseline expected under the NDB scheme. Whether the Ferve platform itself has notified the OAIC separately, and what Ferve's own security posture review has found, has not been disclosed at the time of writing. Cyber Daily's reporting on the incident provides the most detailed Australian-focused account of the breach available.

What Affected Customers Should Do Right Now

If you have purchased tickets through MIFF, the Sydney Film Festival, Sydney Fringe, Melbourne Writers Festival, or any other Ferve-powered event, the following steps are worth taking immediately — regardless of whether you have received a breach notification directly.

1. Assume your email is on the dark web

The first practical step is to check whether your email address appears in known data breach databases. Services that monitor dark web markets and breach compilations can tell you whether your email has been indexed in any known leak. NordPass includes a data breach scanner as part of its password manager feature set, scanning against known breach databases so you can see which accounts associated with your email have been exposed. Once you know which services are affected, you can prioritise which passwords to change first.

2. Change passwords on any account that shares an email address with your Ferve/MIFF account

Even though this specific breach did not expose passwords, attackers will attempt to use your exposed email address in credential stuffing attacks — trying that email against other services using passwords from unrelated historical breaches. If you reuse passwords across accounts (and most people do), now is the time to change them and make each one unique.

3. Enable multi-factor authentication on critical accounts

MFA means an attacker who obtains your password still cannot access your account without a second verification factor. Enable it on your email, banking, social media, and any account holding financial or sensitive data. Authenticator apps (such as those built into NordPass) are more resistant to SIM-swapping than SMS-based MFA — a relevant consideration given that phone numbers were among the exposed data in this breach.

4. Watch for highly personalised phishing and vishing attempts

Be especially alert over the coming months to emails or phone calls that reference your name, suburb, or purchasing history in ways that feel oddly accurate. The ACSC recommends: do not click links in unsolicited emails or SMS; verify the sender independently via official contact details; and report suspected scam activity to Scamwatch (scamwatch.gov.au) and to the ACSC via ReportCyber.

5. Consider a credit or identity alert

IDCARE (idcare.org), Australia's national identity and cyber support service, offers free guidance for Australians affected by data breaches. For incidents where residential addresses have been exposed, it is worth checking whether any new accounts have been opened in your name by reviewing your credit report via one of Australia's credit reporting bodies (Equifax, Experian, or illion).

Third-Party Vendor Risk: Australia's Growing Blind Spot

The MIFF breach via Ferve is one of several recent Australian incidents where the breach did not originate with the organisation customers associate with their data — it originated with a vendor those organisations trusted with that data on their behalf.

The same pattern appeared in the youX breach (where 444,000 Australians' financial records were held by a fintech subprocessor), the Canvas LMS incident (where student data held by an American SaaS provider was exposed), and in the earlier Booking.com breach affecting Australian travellers. In each case, the customer's mental model of "my data is with Organisation X" was technically inaccurate: their data was with Organisation X's vendor, sub-processor, or platform partner.

This is not unique to Australia, but Australia has specific regulatory levers available. The Privacy Act 1988 (Cth) holds Australian Privacy Principle (APP) entities accountable for the handling of personal information they disclose to third parties, provided that disclosure was made with reasonable expectation of continued compliance. The OAIC can investigate both the primary organisation and its service providers where a breach demonstrates inadequate contractual data protection requirements. Whether MIFF's contract with Ferve included appropriate security obligations and audit rights will likely become part of any OAIC inquiry.

What organisations should be asking their vendors

The ACSC's Essential Eight framework does not stop at your own perimeter. Organisations that hold personal information should be asking their SaaS and platform vendors:

• What access controls govern administrator and developer access to production customer data?
• Is customer data encrypted at rest, and under what key management model?
• What is your incident response plan, and what are the notification timelines if a breach affects our customers?
• Do you undergo independent security assessments (penetration testing, SOC 2, ISO 27001)?
• What is your patch management cadence for the software stack handling our data?

For smaller organisations — event producers, festival operators, hospitality businesses — these conversations can feel disproportionate to the apparent scale of the relationship. But the NDB scheme does not offer exemptions based on the size of your vendor. If your customers' data was exposed because your vendor failed, your organisation carries reporting obligations and reputational consequences regardless.

For individuals: you cannot audit your vendors' vendors

From a personal security standpoint, no amount of due diligence on your end will prevent a breach at a platform you cannot see. What you can control is the damage such a breach causes to your broader digital identity. Using unique, strong passwords for every account — which a password manager makes practical — means that a breach of your MIFF email and a reused password elsewhere cannot become an account takeover elsewhere. Monitoring services that scan dark web markets for your exposed credentials can give you an early warning before attackers act on the data.

NordPass stores each password in its own encrypted vault, generates unique credentials for new accounts, and includes breach scanning so you can see which of your accounts are flagged in known data leaks. Given that the same threat actor behind the MIFF breach has listed data from at least 20 Australian organisations in the past few months, having visibility over which of your email addresses are circulating on underground markets is not a paranoid precaution — it is a reasonable response to a documented threat pattern targeting Australians.

The MIFF breach is a reminder that the Australian cultural sector — arts festivals, ticketing platforms, sporting events, community organisations — holds a surprising volume of detailed personal information and is not always resourced to treat security as a first-order operational concern. MIFF is not the first, and it will not be the last.

Related reading

• Booking.com Data Breach 2026: What Australians Need to Know and How to Stay Safe
• ShinyHunters Hacks Canvas LMS: Australian Students Hit in 275-Million-Record Breach

The views expressed in this article are editorial opinion and general information only. They do not constitute professional security, legal, or financial advice. Always verify details with primary sources and consult a qualified professional before making security decisions based on this content.