Melbourne International Film Festival (MIFF) Data Breach 2026:
What You Need to Know
About 26,782 Melbourne International Film Festival (MIFF) customer records were exposed after its third-party ticketing platform, Ferve, was breached. Here is what happened, what data was leaked, and steps you can take to protect yourself.
Your personal risk from this breach
Sign in or create a free account to see your personalised risk score.
What Happened
How the MIFF Breach Unfolded
29 May 2026
MIFF became aware of unauthorised access to its third-party ticketing system, Ferve. An expert response team was mobilised and the ticketing system was temporarily taken offline while MIFF worked with Ferve to secure it.
30 May 2026
Some customers reported receiving unusual messages sent through the Ferve system, including sad-face-emoji texts and an email titled “Critical Security Incident” that read “i feel like miley cyrus sometimes.” The messages confirmed the attacker could send communications to customers, elevating the phishing risk.
2 June 2026
MIFF issued a public statement confirming that approximately 26,782 customer records (about 10% of its database) held within Ferve were affected. A threat actor separately advertised a dataset of “340,000+” records for sale on a hacking forum; MIFF disputed this, stating its customer database does not contain 340,000 records.
MIFF confirmed that the party responsible for the incident published a set of customer information online. Not sure if you were affected? MIFF emailed affected customers directly with the subject "MIFF statement regarding cyber incident".
July 2026
As its investigation neared completion, MIFF wrote to all affected individuals (including anyone sent an earlier notice) confirming that their name, email address, and phone number and/or postal address were involved. MIFF said it notified the Office of the Australian Information Commissioner (OAIC), the Australian Cyber Security Centre (ACSC), and Victoria Police.
Sources: ACS Information Age, Cyber Daily
What Was Exposed
Personal Data Leaked in the Breach
MIFF confirmed that affected customers had their name and email address involved, along with their phone number and/or postal address. This information was collected as part of a past ticket purchase or festival membership. No financial account details or passwords were involved.
| Data Type | Risk Level | Who Was Affected |
|---|---|---|
| Full name | High | Affected customers (approximately 26,782 records) |
| Email address | High | Affected customers (approximately 26,782 records) |
| Phone number | High | Subset (phone number and/or postal address per MIFF) |
| Postal / residential address | High | Subset (phone number and/or postal address per MIFF) |
Risk levels based on the OAIC: What is personal information? and OAIC Australian Privacy Principles. No government IDs, financial data, or passwords were exposed, so individually these fields would sit lower on the scale. They are rated High here because the exposed set combines name, email, phone, and home address (an identity-linked cluster), and because the attacker demonstrably had the ability to message customers, turning phishing from a theoretical risk into an active one.
✅ Confirmed NOT Exposed
MIFF confirmed that full credit card details and account passwords were not exposed. The Ferve platform does not store full card numbers. The data involved was contact information only.
Company Response
What MIFF Did
“As soon as this incident was detected, an expert response team was quickly mobilised and work began in collaboration with Ferve to ensure the security and integrity of our systems.”
Actions Taken by MIFF
- Temporarily took the Ferve ticketing system offline and worked with Ferve to secure it
- Notified the Office of the Australian Information Commissioner (OAIC), the ACSC, and Victoria Police
- Notified all affected individuals as the investigation progressed, including anyone who received an earlier notice
- Simplified its ticketing so that address details are no longer required for future ticket purchases and card processing
- Advised customers to stay alert for phishing emails, scam calls, and text messages, and confirmed MIFF will never ask for a username or password
What Now?
Steps You Can Take After the MIFF Breach
No passwords or financial data were exposed, but the combination of name email phone and postal address gives scammers enough to impersonate MIFF convincingly, and the attacker has already shown they can message customers. Here are general best-practice steps, organised by the accounts most commonly affected.
MIFF and Ticketing Accounts
Your MIFF ticketing details were exposed. Other ticketing accounts may use the same email.
Secure your MIFF and ticketing accounts
~5 minReview other ticketing and event accounts
Email and Digital Identity
Your email is the key to your digital identity. Securing it is a sensible first step.
Strengthen email security
~5 minUnderstand your full account exposure
Phishing and Scam Messages
The attacker used the ticketing system to message customers. Unexpected MIFF messages deserve extra caution.
Treat unexpected MIFF messages with suspicion
Watch for mail and address-based scams
Monitoring and Reporting
Australian resources for breach response and identity protection.
Check your passwords and exposure
Not sure which of your accounts are affected?
In The Event Of helps you find the accounts linked to your email and shows your breach exposure, so you can work through a clear, prioritised plan after an incident.
Are You Still at Risk?
The Hidden Danger: Compound Breach Exposure
The MIFF breach did not happen in isolation. If your data also appeared in other major Australian breaches, the combination of leaked information can build a more complete identity profile.
How breach data compounds
On its own, the MIFF breach exposed names, emails, phone numbers, and postal addresses. But if your email also appeared in the Optus or Medibank breaches, the combined data set may include identity documents, Medicare details, and health records. This kind of compound exposure significantly increases the risk of identity fraud.
- Optus (2022)9.8M records - passport, licence, Medicare numbers
- Medibank (2022)9.7M records - health claims, Medicare details
- Qantas (2025)5.7M records - name, date of birth, phone, email
- MIFF (2026)~26,782 records - name, email, phone, postal address
If your email appears in two or more of these breaches, your risk level is significantly elevated. In The Event Of can overlay your breach data to show exactly where your exposure compounds, and help you prioritise what to address first.
Related Melbourne arts breach: ACMI (2026)
Days after the MIFF incident, the Australian Centre for the Moving Image (ACMI) was hit by a breach claimed by the same threat actor. If you have used both, your combined exposure is worth reviewing.
Frequently Asked Questions
MIFF Breach FAQ
Sources
- MIFF: Statement regarding cyber incident (official notification, June 2026)
- ACS Information Age: "Film festival hack leaves thousands fearing identity theft"
- Cyber Daily: "Hacked! Melbourne International Film Festival responding to cyber incidents"
- Peter A Clarke: "Melbourne International Film Festival suffers data breach" (2 Jun 2026)
- OAIC: What is personal information? (Privacy Act 1988 categories)
- OAIC: Australian Privacy Principles
- OAIC: Notifiable Data Breaches scheme
Other Major Australian Data Breaches
Data from multiple breaches can be combined to increase identity fraud risk. Review these guides to understand your full exposure.
ACMI Data Breach 2026
~25,000 records exposed
UWA Callista Student System Data Breach 2026
Undisclosed records exposed
University of Sydney Data Breach 2025
~27K records exposed
NYC Health + Hospitals Data Breach 2026
~1.8M records exposed
Australian Courts Data Breach 2026
Thousands of files records exposed
youX Data Breach 2026
~444K records exposed
Prosura Data Breach 2026
300K-500K records exposed
Canvas (Instructure) Data Breach 2026
~275M (claimed) records exposed
Booking.com Data Breach 2026
Undisclosed records exposed
McGraw Hill Data Breach 2026
13.5M records exposed
Crunchyroll Data Breach 2026
Undisclosed records exposed
Eurail Data Breach 2026
300K+ records exposed
Basic-Fit Data Breach 2026
1M records exposed
Under Armour Data Breach 2025
72M records exposed
Salesforce (ShinyHunters) Data Breach 2025
~1B records exposed
Allianz Life Data Breach 2025
2.8M records exposed
Workday Data Breach 2025
Undisclosed records exposed
Western Sydney University Data Breach 2025
10K records exposed
Genea Fertility Data Breach 2025
940K records exposed
DeepSeek Data Breach 2025
1M records exposed
Tangerine Telecom Data Breach 2024
232K records exposed
Australian Clinical Labs Data Breach 2022
223K records exposed
Qantas Data Breach 2025
5.7M records exposed
Optus Data Breach 2022
9.8M records exposed
Medibank Data Breach 2022
9.7M records exposed
Latitude Financial Data Breach 2023
14M records exposed
MyDeal (Woolworths) Data Breach 2022
2.2M records exposed
Guides to read next
In The Event Of is an Australian digital footprint manager that helps you find the accounts linked to your email, see your breach exposure, and work through a prioritised action plan. These guides walk through the steps:
Disclaimer: This guide is provided for general informational purposes only and does not constitute legal, financial, or professional advice. The information is based on publicly available sources at the time of writing and may not reflect the most current developments. In The Event Of Pty Ltd (ABN 38 687 352 647) is not affiliated with the Melbourne International Film Festival (Filmfest Limited) or Ferve. If you believe you have been affected by this data breach, we recommend contacting the relevant authorities and seeking professional guidance specific to your circumstances.