Massive data breach exposes security flaws at Atif Aslam concert in Dhaka

A newly created Facebook profile has revealed a major data breach concerning Atif Aslam's upcoming concert in Dhaka, set to take place on 29 November. 

The breach has raised concerns about the safety of personal data and the overall security of the event titled "Magical Night 2.0" headlined by Atif Aslam.

A self-proclaimed developer "Fardeen Ahmed Cse" yesterday (23 October) claimed that "Ticket Tomorrow," the official ticketing partner for the concert, lacked basic security measures on its website. 

The developer alleged that he was able to access the entire database, including ticket details and the personal information of concert-goers.

"I could edit, delete, or generate tickets for the event," the developer wrote in his post. 

He also questioned the company's ability to manage security on the event day, saying, "If they can't secure their audience online, I doubt they can manage anything during the event day either."

The developer also shared a Google Drive link containing the compromised data, which included PDF-format tickets with the names, contact information, and ticket classifications—such as front zone, general zone, and magical zone—of concert-goers. 

Some individuals confirmed that they were able to find their data in the leaked files in the comments of the post. 

The post quickly went viral, leading to a backlash against the developer for exposing sensitive information. 

In response, he deleted the data and wrote, "I exposed the security flaw, shared the leaked tickets, and now everyone knows the tickets are accessible to anyone. This makes it harder for scammers to take advantage, and it pushes the company to finally address the issue [which they wouldn't have done if the post hadn't gone viral]."

He further said, "I've removed the data, not because anyone asked me to, but because I feel like the point has been made. With that, I rest my case."

The Business Standard was able to reach Arifa Shobnom, PR and communications director of Triple Time Communications, who acknowledged that there had been a lack of attention to website security on their part.

She said, "We've been planning to bring Atif since last November, and a great deal of effort went into this. "We were so focused on ensuring maximum security for the artist and audience that there was a lack of attention towards the security on the site."

"We didn't anticipate this kind of issue out of the blue," she added. 

She further said, "This has been truly disheartening, and we are doing everything possible to manage the damage. Around 9,800 people purchased tickets, and all of them have received new PDFs via email. We are still in the process of distributing the hard copies."

Addressing the rumours about the venue booking, Shobnom clarified, "I will be receiving the booking documents today. We've already spoken with the officials at Army Stadium and have visited the site."

Triple Time Communications also announced in a Facebook post, "All purchases have been rendered invalid due to the recent public occurrence. Our new purchase confirmations will be issued soon, and physical tickets will be provided on time."

Meanwhile, Ticket Tomorrow issued a statement, acknowledging the breach, "We encountered an issue where some user and ticket data were accessed without authorisation. We sincerely apologise for any concern this may have caused. Rest assured, we have already taken legal action against those responsible and have reinforced our safety measures."

The developer also disputed the claim that tickets for the event were sold out. 

According to him, he was able to see in the system that tickets were still available.

"They've posted 'sold out,' but I can confirm, the tickets are not sold out at all! I deliberately forced them to stop selling tickets, but they will reopen sales later. Right now, they're just taking time for damage control," he added.