Hundreds of attendees at a Canterbury music festival have been caught up in a privacy breach after pre-sale reminders were sent to the wrong recipients.
The emails, which are sent out to remind people to purchase tickets to the Rolling Meadows music festival, were mistakenly sent to the wrong recipients,revealing personal information.
The incorrect information included a full name, email address, mobile number, postcode, ticket type and quantity, an order identification number, and the last four digits of the payment card, as well as the expiry month and card type.
In some cases, recipients were able to view details of another customer’s ticket order through the included link.
“We want to stress that at no time were full payment card numbers, CVV/security codes, account passwords, login credentials exposed, or tickets,” the spokeswoman said.
“As soon as the issue was detected, we acted quickly to contain it.
“This included immediately pausing the affected email sends, disabling all impacted links, rolling order IDs to prevent any further access, and deploying an error page requiring customers to log in to view their correct order details.
“Our engineering team has fully resolved the issue and added safeguards to prevent this from happening again.
“Only 206 of the incorrect emails were opened, and approximately 50 affected customers have contacted our support team.”
The Sub180 spokeswoman said that despite the low-level breach, the company would self-report to the Privacy Commission and reach out directly to affected customers.
“We sincerely apologise to our customers for this error and for any distress or concern it may have caused.
“Protecting personal information is a responsibility we take extremely seriously, and we deeply regret that this incident occurred.”
The breach comes after the festival announced it would be moving from Waipara, about an hour north of Christchurch, to Bottle Lake Forest, on the outskirts of the city.
It announced it would be expanding from two to three days.