'Alarming' Data Breach Exposes 50,000 Students In Ticketing Website Bungle
Names, emails, birthdays and phone numbers of up to 50,000 students across Australia have been exposed in a potential data breach affecting a popular ticketing website.
Get -- an online platform which facilitates membership payments, ticketing and merchandise for student clubs and societies at many Australian universities -- has been implicated in a potential data leak, with a user claiming thousands of people's details were publicly accessible on its website to anyone after a security bungle.
The company, formerly known as Qnect, claims it has a community of close to 160,000 students -- and there are fears nearly one-third of them could have been caught in the damaging data mistake.
'Irresponsible' Potential Breach Causes Concern
The potential data leak was discovered by a Canberra university student over the weekend. While attempting to purchase a ticket for an event on the Get website, they claimed to have stumbled across a list of names, addresses, numbers and other personal details of students they did not know.
It is unclear exactly how the information was allowed to be publicly accessible online.
"The more concerning part was that the information that was publicly available, it was non-authenticated... so you didn't even have to sign in to get access or have an account [with Get]," the student, who asked to remain anonymous, told 10 daily.
The student, with a background in computer science, also claimed the data has been exposed to "hundreds" of cyber attacks, of a type which could expose raw data like passwords or credit card details.
"It was pretty clear someone had been there before me... they knew what they were going for," the student said.
"It's scary when you actually see it... This isn't even a hack, it was just there. It's irresponsible."
Get Undertaking "thorough Investigation"
10 daily attempted to contact Get multiple times, but the company did not respond by time of publication. However, Get has been updating users on its website, most recently on Tuesday afternoon, where it said it was continuing "thorough investigations into the alleged data breach."
Get appears to have now removed the pages and functions that allowed anyone to access user details over the weekend. 10 daily has seen a redacted version of the collected data before it was removed.
"In recent days we have been in contact with clubs who have notified us of receiving an alarming email about our systems," Get said in a statement on its website, adding the service and sales would continue.
"Should we discover that any data was obtained from our database we will contact affected individuals. In the meantime, users of our platform should, as always, remain wary of any unusual phone calls, text messages or emails."
10 daily has contacted a number of university societies who use the service for their events and ticket sales. Most declined to comment on the record, but several said they were aware of the alleged breach and were speaking with the company.
The student who discovered the potential breach said they have since been contacted by dozens of people concerned their personal details were now exposed.
The Sydney Arts Students Society released a statement on Facebook, saying it was aware of claims that Get had "vulnerabilities in their system".
"As of right now, there is no evidence of user data being obtained. If we become aware of any of our members' data being compromised, we will inform those affected and take the steps as necessary," President Brooke Salzmann said.
The University of Sydney's law student society (SULS), which cut ties with Qnect in 2016 over an unrelated issue, said it had tried to contact the company over the breach, with concerns past data stored about its members may have also been exposed.
"Every time we use a provider, data security is something that we take very seriously," SULS 2019 President Jeremy Chan told 10 daily.
"Data breach at this scale should be something that never happens".
Under Australian law, data breaches likely to cause serious harm to users must be disclosed to the people affected as well as to the Office of the Australian Information Commissioner (OAIC).
On Tuesday, the OAIC would not confirm whether Get had notified them of the potential breach, but told 10 daily they were aware of the reports.
"We would expect any organisation to act quickly to contain a data breach involving personal information and assess the potential impact on those affected," an OAIC spokesperson said.
This is the second time the company has been involved in a potential data leak.
The company rebranded from its previous name, Qnect, just a year after starting, following a 2017 incident where a hacker group texted thousands of students, threatening to disclose their personal data unless a ransom was paid via bitcoin.
At the time, Qnect said the threat had been reported to authorities but insisted no financial information was stored in the app itself.
"Someone who has been hacked once, I kind of understand -- a lot of big and small companies have been hacked -- but this is the second time around," the student, who discovered the breach, said.
Similar Data Breaches Increasing
Since 2018 the OAIC has received 1160 reports of data breaches, including 950 under the mandatory Notifiable Data Breaches scheme.
"Many were caused by human error or cyberattacks linked to phishing or poor password practice," OAIC's spokesperson said.
Deputy Director of the Deakin University Centre for Cyber Security Research and Innovation, Professor Matthew Warren, said it's becoming increasingly common for student data to be exploited.
Warren said the Get breach was an example of an exploited vulnerability arising from security systems not being "sophisticated" enough.
"It could be used for scams, stealing someone's identity and especially for international students, they could contact the university about visa status and get very personal information," he said.
Warren said similar breaches have occurred when small businesses did not have the "expertise or resources" to deal with security issues.
"That's a very unique challenge that small businesses face about cybersecurity," he said.
Warren also said consumer demands for more complex products -- such as mobile ticketing -- can also make systems harder to secure.
"Because they are becoming more complex, there's a great number of vulnerabilities, that if they aren't patched up or updated they can be exploited," he said.
Contact the author: firstname.lastname@example.org