‘Absolute joke’: customers’ personal data exposed amid Pandemonium Rocks festival refund stoush

<span>More than 8,000 people attended the first Pandemonium Rocks concert in Melbourne last Saturday, where Alice Cooper (centre) performed as part of the modified lineup.</span><span>Photograph: Richard Nicholson/REX/Shutterstock</span>
More than 8,000 people attended the first Pandemonium Rocks concert in Melbourne last Saturday, where Alice Cooper (centre) performed as part of the modified lineup.Photograph: Richard Nicholson/REX/Shutterstock

Kylie Gilroy was already incensed when she and her partner applied for partial refunds for this Saturday’s Pandemonium Rocks music festival on the Gold Coast. The Mackay couple had spent more than $2,000 on concert tickets, air fares and hotel accommodation for a show they no longer wanted to see, after festival organisers confirmed just over two weeks ago that seven of the 13 acts promised, including headliners Deep Purple, the Dead Kennedys, Placebo and Gang of Four, had pulled out.

But when Gilroy hit the send button on her partial refund application, which would have recouped $140 of her outlay of $516 for two tickets, her anger turned to disbelief.

The names, email addresses, mobile numbers and bank account details of more than 100 strangers filled her screen. An hour later, on the evening of 19 April, she could see the personal details of more than 500 people, including her own.

It would take festival organisers more than 90 minutes to realise what had happened – that an admin tab on the Google form they were using had been left open.

“The way that this event has been run is absolute bullshit, and we can’t do anything about it,” said Gilroy. “Nobody can do anything about it.”

Another ticket holder, Jenny, who lives on the Gold Coast, told the Guardian she thought she had become the victim of a scam when some “random guy” emailed to tell her he could see her personal details, including phone number and bank accounts number, online.

Jenny, who did not want her last name used, said she immediately emptied the bank account identified of all funds.

Late the following morning, Pandemonium posted a message on its Facebook page confirming a data breach took place on Friday between 5.47pm and 7.20pm.

Related: Australian music insiders take aim at ‘tick-a-box’ government funding for festivals

“All people within the timeframe who filled the form will be contacted by Pandemonium directly asap to notify them that their data was made public during that window and to advise their banks to update their information,” the message said. “We are sincerely sorry for the angst this has caused.”

The four ticket holders the Guardian spoke to said they had not been contacted by the festival organisers, and none said they had received any refund.

On Pandemonium’s Facebook page, some users have described being unable to message organisers via the platform. On 22 March the organisers posted that “due to reckless reporting, and the wilful proliferation of misinformation, rumours and conspiracy surrounding the festival, we are turning comments off on our social media (for now)”.

Under the Notifiable Data Breaches scheme covered by the Australian Privacy Act, an organisation that is subject to the act and suspects a data breach may have occurred must notify the people affected and the Office of the Australian Information Commissioner (OAIC) as soon as possible.

As of Tuesday, Pandemonium’s organisers, One World Entertainment, had not reported the breach to the commissioner.

An OAIC spokesperson told the Guardian the office was seeking further information from the company, including whether it records an annual turnover of more than $3m, which would make reporting data breaches to the commissioner mandatory.

One World Entertainment did not respond to a request for comment.

The Pandemonium Rocks festival encompassed five concerts spread across six cities, with tickets initially ranging from $250 to $650, then dropped to $190 for a standard ticket after the sudden program change.

More than 8,000 people attended the first concert in Melbourne last Saturday, where the modified lineup included Alice Cooper, Blondie, the Psychedelic Furs and Wheatus.

Related: The Australian company behind Splendour has a rich parent – so why does it need millions in public money?

The Newcastle concert, described by the organisers as a “side show”, took place on Tuesday night. The Sydney concert will be held on Thursday at Olympic Park and further events follow on the Gold Coast and in Brisbane.

NSW Fair Trading has confirmed that since 13 February it has dealt with 53 complaints about Pandemonium refunds. Consumer Affairs Victoria said in a statement it “does not comment on individual businesses”. Queensland’s Office of Fair Trading did not respond to a request for comment.

A NSW Fair Trading spokesperson said consumers were entitled to refunds when an event organiser “chooses to cancel or makes a major change to an event”. A major change could include the headline act.

“NSW Fair Trading is thoroughly assessing all complaints received so far and has contacted Pandemonium Rocks Festival requesting response to several matters,” the statement said.

Gilroy said the offer of a $70 refund on a $258 ticket, bought on the assumption she and her partner would see Deep Purple, the Dead Kennedys and Placebo perform, was an “absolute joke”.

Multiple ticket-holders said as an alternative to a partial refund Pandemonium had offered them an additional complimentary ticket or a branded hoodie.