Following the ticketing chaos that plagued last week’s Splendour In The Grass ticket sale, the head of Moshtix has issued a “personal update” that all but confirms the website was hacked while offering the company’s “shame and frustration” to disgruntled punters.

Shortly after the digital box office opened for Splendour 2014, social media lit up with frustrated punters offered fake ‘50% off’ discounted tickets while others were slugged with suspect credit card fees, which in some cases amounted to thousands of extra dollars as patrons flooded the festival’s and Moshtix’s Facebook and Twitter in outrage and panic over concerns the site had been hacked.

At the time, “technical issues” were blamed while ticket holders were assured that their financial information had not been compromised.

Now Moshtix CEO Harley Evans confirms that “an area of our ticketing system that controls event details was accessed by an unauthorised user [between] 9.10am and 9.37am” at the time of the Splendour sale, as FasterLouder points out.

In a personal statement issued on the Moshtix’s website yesterday afternoon, Evans verifies that 422 customers were incorrectly slammed with thousands in extra credit card surcharges while 13 customers purchased the false 50% off tickets. In both instances, patrons were offered a refund. “Our view is that it appears from the actions that the intention was to create confusion and concern and damage the Moshtix brand.”

Following an internal investigation and working with police, Evans confirms what many suspected, that the ticketing changes “were being made by someone in a deliberate and unauthorised fashion” and not any “bug” in their systems. The investigation is ongoing but Evans add that “at no time at all were customers’ confidential information, in particular credit card details, viewed or downloaded from our system.

“It’s a real shame and frustration to everyone at Moshtix that what should have been a day of celebration for the festival industry, with one of its most iconic and best loved festivals selling out in a challenging environment, that the focus of the day was on the unauthorised activities that caused the disruption.”

Evans says that as for the motivations of the hacker, “we can only speculate at this point. Our view is that it appears from the actions that the intention was to create confusion and concern and damage the Moshtix brand,” he continues.

“It’s obvious that those involved have scant regard for the impact this type of planned activity has on consumers and the industry generally. Further, this type of activity is illegal and we intend to pursue this matter to the fullest extent possible.”

Despite the confusion, tickets to Splendour In The Grass 2014 sold out within hours and last Monday, organisers revealed a huge list of Splendour 2014 sideshows, offering chances to catch the 80+ strong lineup outside of the festival. Including dates from Childish GambinoFirst Aid KitÁsgeir, Tune-Yards, Future Islands, and Kelis.

You can read Harley Evans’ full statement below.

Hi everyone

I wanted to give you a personal update on what happened during last Friday’s Splendour in the Grass on sale. As many of you will know, we had an unprecedented situation where an area of our ticketing system that controls event details was accessed by an unauthorised user. Between 9.10am and 9.37am, this unauthorised access resulted in a few things happening;

1. A 50% discount was offered to a small number of ticket buyers; 13 orders were made at the discounted rate. All orders have been refunded and the affected customers given the chance to repurchase at the correct price.

2. The credit card surcharge level was changed, resulting in customers being incorrectly charged very high fees. A total of 422 customers were affected and all those customers have had the difference refunded to their credit cards.

3. A message was posted on the Splendour in The Grass event page suggesting data lists could be purchased from an online market place called Silk Road. This message was entirely false and was posted with the intention of causing concern and disruption to the on-sale process.

For obvious reasons, all of this caused a lot of concern amongst ticket buyers.

As a result of our immediate investigations into the problem, we established that the changes were being made by someone in a deliberate and unauthorised fashion (as opposed to there being some sort of ‘bug’ in the system or a change authorised by the event organiser via a self-service tool). We then immediately disabled access to the affected part of our system to prevent further changes being made, and we fixed the elements listed above. There was no further unauthorised access of our system after that point.

We then immediately instigated forensic analysis of what had happened through an independent firm who specialises in fraudulent e-commerce activity and we reported the incident to the Police. Following the update we provided on Friday, we can confirm that these investigations have uncovered the following;

1. The unauthorised access was limited to the “front end” area of our system that controls event configuration information for the Splendour in The Grass event (i.e. ticket prices, ticket fees, event info for the website etc).

2. Access to the system was gained through the unauthorised use of a legitimate single account username and password which was established for the Splendour in the Grass event. The investigation is ongoing and currently focussing on how these login details were obtained. We are continuing to work with Splendour in the Grass and our IT provider to try to determine the identity of the person or persons responsible.

3. At no time at all was access gained to any other parts of our system such as the areas that manage customer payment details, client bank account details etc.

4. At no time at all were customers’ confidential information, in particular credit card details, viewed or downloaded from our system. We send encrypted cardholder data directly to our payment processor at the point of purchase and do not store the details in our system.

We are entirely confident that this will not happen again as a result of changes we have implemented since Friday.

In terms of why this person(s) did what they did, we can only speculate at this point. Our view is that it appears from the actions that the intention was to create confusion and concern and damage the moshtix brand.

It’s obvious that those involved have scant regard for the impact this type of planned activity has on consumers and the industry generally. Further, this type of activity is illegal and we intend to pursue this matter to the fullest extent possible.

It’s a real shame and frustration to everyone at moshtix that what should have been a day of celebration for the festival industry, with one of its most iconic and best loved festivals selling out in a challenging environment, that the focus of the day was on the unauthorised activities that caused the disruption.

I do want to apologise for any delay in us getting updates to you on Friday. We were doing our best to keep everyone, including the Splendour in The Grass organisers and the media in the loop with what was happening, however our immediate priorities on Friday were ensuring that we investigated and understood the nature of the disruption and impacts on our systems and on ticket buyers, and that sales for the festival were able to continue. In total, less than 500 customers were affected with incorrect bookings.

Due to the massive demand each year for Splendour in The Grass tickets, and in particular this year, obviously many customers missed out on securing tickets. As in previous years we encourage those who missed out to keep an eye on our website and Facebook page for any updates.

Thanks for taking the time to read, and we hope to see you at a live event soon.

Harley Evans

CEO, Moshtix

Get unlimited access to the coverage that shapes our culture.
to Rolling Stone magazine
to Rolling Stone magazine