Several fans told the BBC that when they tried to complete their purchase, they were taken to checkout pages listing tickets for other shows than the ones they had selected, along with personal information that wasn’t their own.
It’s possible that live concert tracking and ticketing service Songkick, which ran the sale, had a glitch in its system that caused the mix-up. The company said in a statement:
Due to extreme load experienced this morning, some of our customers were incorrectly able to preview limited account information belonging to other customers.
There’s no evidence that this included credit card numbers or passwords. We take the privacy of our users very seriously, and we’re looking further into the matter to ensure it doesn’t happen again.
Security consultant Graham Cluely told the BBC that the incident “certainly sounded” like a security breach. He said, “This is the sort of thing which should be impossible, even if the website is very busy. It sounds like the website [code] has been written insecurely.”
Cluely’s explanation doesn’t make it sound like a breach at all, but rather just a buggy site struggling under a massive load.
It isn’t clear how many users were affected, but the number could run into the thousands given that Adele’s tour spans over 30 shows in large venues across Europe.
Update: Songkick has issued a statement:
Songkick was responsible for selling 40% of tickets directly to fans, a portion of whom were unfortunately able to preview other users’ shopping carts for brief periods due to extreme load. At no time was anyone able to access another person’s password, nor their payment or credit card details (which are not retained by Songkick). We take the security of our users and Adele’s fans very seriously, and we apologize for the alarm we have caused to those purchasers who experienced issues.