Buyers shown other people’s shopping baskets, including payment details.
Fans buying tickets for Adele’s tour have told the BBC they were shown the address and credit card details of customers other than themselves.
Advance tickets were made available to members of Adele.com on Tuesday morning.
But several fans said they were shown other people’s shopping baskets, including payment details, when they tried to check out.
Kiran Farmah, in Birmingham, said she was offered tickets for Glasgow shows.
“I got through to buying tickets but it came up with someone else’s screen with their card details and home address for SSE,” she tweeted.
Emma Harris in Woking told the BBC she had experienced a similar problem.
“After queuing for an hour and half, we clicked the tickets we wanted [and] got pushed through to another screen but different tickets were selected.”
“We went with these anyway because we thought otherwise we’d lose out. But when we got to the next screen, where you fill in your details, all of the boxes were already filled in with somebody else’s name, somebody else’s address and somebody else’s credit card number.”
Harris said she deleted the other customer’s “big, long digit card number” and eventually obtained tickets for the O2 in London next March.
“It’s definitely worrying, as I know myself and a lot of friends of mine have paid with our credit card details and we don’t know who they’ve been exposed to.”
The sale was organised by live music and technology firm Songkick, which provides concert tickets and allows fans to be alerted to upcoming shows.
“Due to extreme load experienced this morning, some of our customers were incorrectly able to preview limited account information belonging to other customers.
“There’s no evidence that this included credit card numbers or passwords. We take the privacy of our users very seriously, and we’re looking further into the matter to ensure it doesn’t happen again.”
Security consultant Graham Cluely said the incident “certainly sounded” like a security breach.
“This is the sort of thing which should be impossible, even if the website is very busy,” he told the BBC.
“It sounds like the website [code] has been written insecurely. It’s spitting out other people’s information – information which they would expect to have been kept private.”
He agreed it was still “unclear” whether credit card numbers had been exposed, but urged customers to be cautious.
“If that information could have been exposed, then keep a close eye on your bank account and your credit card statements. Look for unusual activity there and be very wary of unsolicited messages or unusual emails which you might receive.”
Source: http://www.bbc.co.uk/
