Tomorrowland festival goers affected by data breach

Tomorrowland festival goers affected by data breach

Tomorrowland, a major international music festival, has revealed a data breach potentially affecting around 60,000 attendees.

This one is a little different though, as the data accessed without permission isn’t recent. In fact, it dates back four years to an event long since come and gone. According to a Tomorrowland spokesperson, the managers of the Paylogic ticketing system noticed “unusual activity” on an older server. This server contained data for the 2014 event, but the hackers left everything else alone.

“Sensitive” versus “not sensitive”

The hacked server is now offline, and anyone potentially affected should have been made aware of what’s going to happen next. As with most breaches, it involves notification emails and a helpful set of suggestions for cybersecurity best practices.

Accounts conflict about what specifically was breached, accessed, and stolen in the Tomorrowland attack. This may be due to primary news sources being in languages other than English, and things are being lost in translation.

Tomorrowland representatives claim access to sensitive data did not take place. This is where things become reliant on your personal definition of what constitutes “bad” or merely “sort of bad.”

Data taken includes name, email, gender, age, and post code. Data not taken includes payment details, passwords, and addresses.

I suspect everyone’s mileage may vary greatly with regards to what constitutes “sensitive data” here. Depending on which region of the world you come from, a post code alone could drill you down to a couple of houses or a single street. At that point, the specific address probably doesn’t matter too much. With the post code and a name, you could easily find the exact house via publicly-listed information, a voting register, or a house sale.

That seems pretty sensitive to me.

Phishing risks

A dubious phishing attempt is more than doable here as a result of the data taken by scammers. Any communications regarding ticket sales, offers, promotions, or anything else you can think of should be greeted with a healthy dose of suspicion.

Revisit your mailbox and check for any interactions with event organisers the moment you receive any official communications. Have a look at anything you’ve replied to related specifically to Tomorrowland. In particular, pay attention to anything involving payments, password resets, or submission of further personal information. Ignore all rogue emails and send them straight to the recycling bin.

Without further information on when the breach took place, it’s difficult to say how long people should be concerned. We don’t know if the unauthorised access took place last week, last month, or last year. We can’t say how long people were sitting on the stolen information, or if it’s old news for scammers. Potentially, anything worthwhile in the haul has long since stopped being relevant or useful.

Pulling the plug: a good idea

It’s odd that a server containing data from a one-off event in 2014 was still online. Despite this, it’s entirely possible it was online for specific reasons we can’t guess at. Even so, it’s a good cautionary warning to remind admins to take anything offline that doesn’t really need to be there. Even data that should definitely be online for various reasons will often fall victim to attacks and scams.

A full audit, a sensible backup policy, and old data stored securely will solve a lot of these potential headaches. Everybody likes a music festival to be as eventful as possible, but this is perhaps a little too eventful. We hope you experience zero breaches, sensibly priced burgers, and permanently short queues for an abundance of portable toilets.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.