An online ticketing company has moved quickly to fix a “potential data leak” after a university student claimed the personal details of thousands of people had been revealed.
- Get is an online ticketing website used by university clubs and societies
- A student says the personal data of users on the site was publicly available
- The company says it is investigating and will “provide a further update when it becomes available”
In a statement posted on its website, Get said it had “immediately acted” following reports of a “potential vulnerability” in its systems.
“If we become aware of any specific information which has been compromised we will notify the organisations, their members and report a breach,” the company’s statement said.
“No personal payment information is stored in Get’s databases and payments are processed by a secure third-party payment processor, responsible for many of the world’s online transactions.”
On its website, it told users it was investigating the “potential data leak” and would provide a further update when it became available.
The online ticketing start-up, which originated in Sydney, is used by university clubs and associations to manage memberships and sell tickets to events in four countries.
According to its website, Get has more than 159,000 students from 453 societies and clubs in its community.
University clubs listed on its website include those belonging to the University of Adelaide, UNSW Sydney, the University of Sydney, Macquarie University, the University of Technology and Griffith University.
A spokesman for Australia’s national privacy regulator, the Office of the Australian Information Commissioner (OAIC), said it was aware of reports of a potential data breach involving Get.
“While we can’t comment on the specifics, we would expect any organisation to act quickly to contain a data breach involving personal information and assess the potential impact on those affected,” he said.
“If it’s likely to result in serious harm, and the organisation is covered by the privacy act, they must notify the people who are affected and the OAIC as quickly as possible.”
In 2018-19, the OAIC received 1,160 reports of data breaches in Australia.
Student claims ‘insane’ amount of information available
Claims about the system vulnerability emerged over the weekend, after a University of Canberra software engineering student posted on social media.
The student, who asked to remain anonymous, told the ABC he found the data when applying for a club membership.
“[The website] showed a list of all the people that were part of that society, which seemed a bit strange to me,” the student said.
He said a quick online search found the personal data of about 200,000 users dating back more than a year.
“I looked at the information that was being sent from Get to my computer … it’s things like name, phone number, date of birth, addresses, student number.
“Having that publicly available is just insane.”
A University of Canberra student reported the potential breach on social media. (ABC News: Nick Haggarty)
He said he had also seen searches which led him to believe hackers had tried to access the information, including SQL injection attempts, which use vulnerabilities to bypass a site’s security measures.
“I saw queries for last four digits, assuming of a credit card. I saw queries for names on hashed passwords,” he said.
“The [searches had been] done in a sequential pattern … they were accessing specific [information] on the server, they were asking for specific sets of information.
“You wouldn’t do that unless you knew what you’re looking for.”
He said he reported the issue to Get and other impacted universities.
“I guess my concern is that, you know, they’re definitely not letting us know what details may or may not be available at the wider web. Just because you shut, it doesn’t … turn off the tap,” he said.
Vulnerability ‘egregiously basic’, expert says
Security researcher Troy Hunt told the ABC any personal information could be used for nefarious purposes, including identity theft.
He described the claimed system vulnerability as “egregiously basic”.
“Certainly for someone looking to perform some sort of malicious activity, the more information they can get about someone the better — and certainly there has been quite a lot of personal information leaked by this service,” he said.
“I’d be concerned if this was my data. This is information that I would not want to willingly share with other people.
“By the time you match names with phone numbers and addresses and birth dates and things like that, it is a lot of personal information, and remember things like your birthdate are often used as identify verification questions.”
Tech start-up originated in Sydney
Get’s predecessor Qnect was established in 2016 by University of New South Wales commerce students Daniel Liang and Ryan Chen.
The tech start-up has since expanded to three other countries, and has sold $6.2 million worth of tickets, organisation memberships and merchandise across university campuses.
In a separate incident in May 2017, Qnect users began receiving threatening text messages from a hacking group which called itself RavenCrew.
It threatened to release private data unless it was paid a ransom in Bitcoin.
Mr Liang said at the time the threats were reported to the Australian Federal Police, and moved to reassure users no financial information was accessed as it was stored with a third party.