Night made less magical by data breach: We didn't pay attention to website security, organisers say

Organisers of the upcoming Atif Aslam concert had not paid much attention to website security resulting in the data breach which rocked concert preparations yesterday (23 October), making public personal information on ticket purchases. 

Speaking to The Business Standard, Arifa Shobnom, PR and communications director of Triple Time Communications, acknowledged that there had been a lack of attention to website security on their part.  

"We were so focused on ensuring maximum security for the artist and audience that there was a lack of attention towards the security on the site," said Arifa Shobnom

"This has been truly disheartening, and we are doing everything possible to manage the damage. Around 9,800 people purchased tickets, and all of them have received new PDFs via email. We are still in the process of distributing the hard copies," she added.

The breach came to light when a self-proclaimed developer "Fardeen Ahmed Cse" claimed that "Ticket Tomorrow," the official ticketing partner for the Magical Night 2.0" headlined by Atif Aslam, lacked basic security measures on its website. 

He alleged he had been able to access the entire database, including ticket details and the personal information of concert-goers.

"I could edit, delete, or generate tickets for the event," the developer wrote in his post. 

Questioning the company's ability to ensure security on concert day, he wrote, "If they can't secure their audience online, I doubt they can manage anything during the event day either."

In his post, he shared a Google Drive link containing the compromised data, which included PDF-format tickets with the names, contact information, and ticket classifications—such as front zone, general zone, and magical zone—of concert-goers. 

Some individuals confirmed that they were able to find their data in the leaked files in the comments of the post. 

The post quickly went viral, leading to a backlash against the developer for exposing sensitive information. 

In response, he deleted the data and wrote, "I exposed the security flaw, shared the leaked tickets, and now everyone knows the tickets are accessible to anyone. This makes it harder for scammers to take advantage, and it pushes the company to finally address the issue [which they wouldn't have done if the post hadn't gone viral]."

Triple Time Communications in turn announced in a Facebook post, "All purchases have been rendered invalid due to the recent public occurrence. Our new purchase confirmations will be issued soon, and physical tickets will be provided on time."

Meanwhile, Ticket Tomorrow issued a statement, acknowledging the breach, "We encountered an issue where some user and ticket data were accessed without authorisation. We sincerely apologise for any concern this may have caused. Rest assured, we have already taken legal action against those responsible and have reinforced our safety measures."

Meanwhile, addressing the rumours about the venue booking, Shobnom clarified, "I will be receiving the booking documents today. We've already spoken with the officials at Army Stadium and have visited the site."

The Business Standard has obtained a document with today's date that said Army Stadium has confirmed the booking of the show for 29 November. 

The developer who made the Facebook post also disputed the claim that tickets for the event were sold out. 

According to him, he was able to see in the system that tickets were still available.

"They've posted 'sold out,' but I can confirm, the tickets are not sold out at all! I deliberately forced them to stop selling tickets, but they will reopen sales later. Right now, they're just taking time for damage control," he added.

Staff Feature Writer Tanisha Kabir contributed to this report