M

Melbourne International Film Festival (MIFF) Data Breach 2026:
What You Need to Know

About 26,782 Melbourne International Film Festival (MIFF) customer records were exposed after its third-party ticketing platform, Ferve, was breached. Here is what happened, what data was leaked, and steps you can take to protect yourself.

Breach date:29 May 2026
Records affected:~26,782
Risk level:High

Your personal risk from this breach

Sign in or create a free account to see your personalised risk score.

View My Risk

What Happened

How the MIFF Breach Unfolded

29 May 2026

MIFF became aware of unauthorised access to its third-party ticketing system, Ferve. An expert response team was mobilised and the ticketing system was temporarily taken offline while MIFF worked with Ferve to secure it.

30 May 2026

Some customers reported receiving unusual messages sent through the Ferve system, including sad-face-emoji texts and an email titled “Critical Security Incident” that read “i feel like miley cyrus sometimes.” The messages confirmed the attacker could send communications to customers, elevating the phishing risk.

2 June 2026

MIFF issued a public statement confirming that approximately 26,782 customer records (about 10% of its database) held within Ferve were affected. A threat actor separately advertised a dataset of “340,000+” records for sale on a hacking forum; MIFF disputed this, stating its customer database does not contain 340,000 records.

MIFF confirmed that the party responsible for the incident published a set of customer information online. Not sure if you were affected? MIFF emailed affected customers directly with the subject "MIFF statement regarding cyber incident".

July 2026

As its investigation neared completion, MIFF wrote to all affected individuals (including anyone sent an earlier notice) confirming that their name, email address, and phone number and/or postal address were involved. MIFF said it notified the Office of the Australian Information Commissioner (OAIC), the Australian Cyber Security Centre (ACSC), and Victoria Police.

Sources: ACS Information Age, Cyber Daily

What Was Exposed

Personal Data Leaked in the Breach

MIFF confirmed that affected customers had their name and email address involved, along with their phone number and/or postal address. This information was collected as part of a past ticket purchase or festival membership. No financial account details or passwords were involved.

Data TypeRisk LevelWho Was Affected
Full nameHighAffected customers (approximately 26,782 records)
Email addressHighAffected customers (approximately 26,782 records)
Phone numberHighSubset (phone number and/or postal address per MIFF)
Postal / residential addressHighSubset (phone number and/or postal address per MIFF)

Risk levels based on the OAIC: What is personal information? and OAIC Australian Privacy Principles. No government IDs, financial data, or passwords were exposed, so individually these fields would sit lower on the scale. They are rated High here because the exposed set combines name, email, phone, and home address (an identity-linked cluster), and because the attacker demonstrably had the ability to message customers, turning phishing from a theoretical risk into an active one.

✅ Confirmed NOT Exposed

MIFF confirmed that full credit card details and account passwords were not exposed. The Ferve platform does not store full card numbers. The data involved was contact information only.

Company Response

What MIFF Did

“As soon as this incident was detected, an expert response team was quickly mobilised and work began in collaboration with Ferve to ensure the security and integrity of our systems.”
Damien Hodgkinson, Chief Executive Officer, MIFF

Actions Taken by MIFF

  • Temporarily took the Ferve ticketing system offline and worked with Ferve to secure it
  • Notified the Office of the Australian Information Commissioner (OAIC), the ACSC, and Victoria Police
  • Notified all affected individuals as the investigation progressed, including anyone who received an earlier notice
  • Simplified its ticketing so that address details are no longer required for future ticket purchases and card processing
  • Advised customers to stay alert for phishing emails, scam calls, and text messages, and confirmed MIFF will never ask for a username or password

What Now?

Steps You Can Take After the MIFF Breach

No passwords or financial data were exposed, but the combination of name email phone and postal address gives scammers enough to impersonate MIFF convincingly, and the attacker has already shown they can message customers. Here are general best-practice steps, organised by the accounts most commonly affected.

MIFF and Ticketing Accounts

Your MIFF ticketing details were exposed. Other ticketing accounts may use the same email.

Secure your MIFF and ticketing accounts

~5 min
If you have an account with MIFF or the Ferve ticketing platform, it is good practice to update the password and enable multi-factor authentication (MFA) where available. Review any saved details and recent activity. MIFF has confirmed it will never contact you to ask for your username or password.
Go to MIFF

Review other ticketing and event accounts

Where the same email address or password has been reused across other ticketing, event, or streaming platforms, consider updating those credentials too. Credential reuse is one of the most common ways a single breach spreads to other accounts.

Email and Digital Identity

Your email is the key to your digital identity. Securing it is a sensible first step.

Strengthen email security

~5 min
Updating the password and enabling MFA on the email account tied to your MIFF tickets is widely recommended. It is also worth checking email forwarding rules and connected-app permissions, which can be abused to silently intercept messages.

Understand your full account exposure

Most people have dozens of online accounts linked to one email address. When that email is exposed in a breach, mapping which services are connected is a critical first step in assessing your personal risk.

Phishing and Scam Messages

The attacker used the ticketing system to message customers. Unexpected MIFF messages deserve extra caution.

Treat unexpected MIFF messages with suspicion

Because name email and phone were exposed, scam emails and texts can look convincingly like they come from MIFF. Do not click links in unexpected messages. Check the sender address and the URL before entering any details, and verify through miff.com.au directly.

Watch for mail and address-based scams

Where your postal address was involved, stay alert for physical mail or calls that reference your address to appear legitimate. Legitimate organisations will not ask you to confirm passwords or full card numbers by email, phone, or text.

Monitoring and Reporting

Australian resources for breach response and identity protection.

Contact IDCare or report to Scamwatch

IDCare (1800 595 160) is Australia's national identity and cyber support service and provides free, tailored guidance for people affected by data breaches. Reporting to Scamwatch helps authorities track emerging threats.

Check your passwords and exposure

The Victorian Government offers a free password strength tester. Reviewing which of your accounts share the exposed email is a practical way to prioritise what to secure first.

Not sure which of your accounts are affected?

In The Event Of helps you find the accounts linked to your email and shows your breach exposure, so you can work through a clear, prioritised plan after an incident.

Check My Email Free

Are You Still at Risk?

The Hidden Danger: Compound Breach Exposure

The MIFF breach did not happen in isolation. If your data also appeared in other major Australian breaches, the combination of leaked information can build a more complete identity profile.

How breach data compounds

On its own, the MIFF breach exposed names, emails, phone numbers, and postal addresses. But if your email also appeared in the Optus or Medibank breaches, the combined data set may include identity documents, Medicare details, and health records. This kind of compound exposure significantly increases the risk of identity fraud.

  • Optus (2022)9.8M records - passport, licence, Medicare numbers
  • Medibank (2022)9.7M records - health claims, Medicare details
  • Qantas (2025)5.7M records - name, date of birth, phone, email
  • MIFF (2026)~26,782 records - name, email, phone, postal address

If your email appears in two or more of these breaches, your risk level is significantly elevated. In The Event Of can overlay your breach data to show exactly where your exposure compounds, and help you prioritise what to address first.

Related Melbourne arts breach: ACMI (2026)

Days after the MIFF incident, the Australian Centre for the Moving Image (ACMI) was hit by a breach claimed by the same threat actor. If you have used both, your combined exposure is worth reviewing.

Read the ACMI guide

Were you affected?

Find out in 30 seconds. Free to check.

Check My Email Free

No credit card required.

Frequently Asked Questions

MIFF Breach FAQ

Other Major Australian Data Breaches

Data from multiple breaches can be combined to increase identity fraud risk. Review these guides to understand your full exposure.

ACMI Data Breach 2026

~25,000 records exposed

High

UWA Callista Student System Data Breach 2026

Undisclosed records exposed

Medium

University of Sydney Data Breach 2025

~27K records exposed

High

NYC Health + Hospitals Data Breach 2026

~1.8M records exposed

Critical

Australian Courts Data Breach 2026

Thousands of files records exposed

Critical

youX Data Breach 2026

~444K records exposed

High

Prosura Data Breach 2026

300K-500K records exposed

High

Canvas (Instructure) Data Breach 2026

~275M (claimed) records exposed

Medium

Booking.com Data Breach 2026

Undisclosed records exposed

High

McGraw Hill Data Breach 2026

13.5M records exposed

High

Crunchyroll Data Breach 2026

Undisclosed records exposed

High

Eurail Data Breach 2026

300K+ records exposed

High

Basic-Fit Data Breach 2026

1M records exposed

High

Under Armour Data Breach 2025

72M records exposed

High

Salesforce (ShinyHunters) Data Breach 2025

~1B records exposed

High

Allianz Life Data Breach 2025

2.8M records exposed

High

Workday Data Breach 2025

Undisclosed records exposed

Medium

Western Sydney University Data Breach 2025

10K records exposed

High

Genea Fertility Data Breach 2025

940K records exposed

Critical

DeepSeek Data Breach 2025

1M records exposed

Medium

Tangerine Telecom Data Breach 2024

232K records exposed

High

Australian Clinical Labs Data Breach 2022

223K records exposed

Critical

Qantas Data Breach 2025

5.7M records exposed

High

Optus Data Breach 2022

9.8M records exposed

Critical

Medibank Data Breach 2022

9.7M records exposed

Critical

Latitude Financial Data Breach 2023

14M records exposed

Critical

MyDeal (Woolworths) Data Breach 2022

2.2M records exposed

High

Guides to read next

In The Event Of is an Australian digital footprint manager that helps you find the accounts linked to your email, see your breach exposure, and work through a prioritised action plan. These guides walk through the steps:

Disclaimer: This guide is provided for general informational purposes only and does not constitute legal, financial, or professional advice. The information is based on publicly available sources at the time of writing and may not reflect the most current developments. In The Event Of Pty Ltd (ABN 38 687 352 647) is not affiliated with the Melbourne International Film Festival (Filmfest Limited) or Ferve. If you believe you have been affected by this data breach, we recommend contacting the relevant authorities and seeking professional guidance specific to your circumstances.