[BreachExchange] Data breach may affect 50, 000 Australian university students using 'Get' app

[Destry Winant]

https://www.theguardian.com/education/2019/sep/10/data-breach-may-affect-50000-australian-university-students-using-get-app

The personal details of an estimated 50,000 students involved in
university clubs and societies around Australia may have been exposed
online, in the second breach of its kind for the company holding the
data.

Get, previously known as Qnect, is an app built for university
societies and clubs to facilitate payments for events and merchandise.
The app operates in four countries with 159,000 active student users,
and 453 clubs using it.

A user on Reddit reported over the weekend that after looking up their
own club they were able to get access to other users’ data, including
name, email, date of birth, Facebook ID and phone numbers, through the
company’s search function, API.

They said they were able to send requests for data without special
tokens provided for legitimate access to the service, meaning anyone
could request the information.

In response on Sunday, Get posted on its website that it had made a
change to prevent that happening and had begun telling organisations
about the potential breach.

The company said it was reviewing the API calls to see what data might
have been accessed.

“If we become aware of any specific information which has been
compromised we will notify the organisations, their members and report
a breach,” the company said. “No personal payment information is
stored in Get’s databases and payments are processed by a secure
third-party payment processor, responsible for many of the world’s
online transactions.”

Guardian Australia has attempted to contact Get about the breach.

The user who found the breach told Guardian Australia in a message
over Reddit that they had decided to remain anonymous in case Get had
a negative response to the finding, but had tried several times to
contact the company.

“I’ve reached out to Get around six times over the weekend, but
haven’t heard back. I did read their response, but it’s sadly a
non-response,” they said.

“Locking the service down is definitely a good first step, but there
is no genie back in the bottle (the oldest dataset I saw was 16 months
old), and that data is already out in the wild – the least they can do
is let people know what was released so that people can take steps to
protect themselves.”

Get rebranded last year following a data breach that resulted in
members of societies and clubs using the platform being threatened
with having their data released by a hacking group, unless then-Qnect
paid the hackers in bitcoin.

Co-founder Daniel Liang said at the time that media had blown up in
the incident, and the company had been “very transparent”.

“When you’re talking about students’ data and payments, it’s a
sensitive thing. We always kept our community up to date, we were very
transparent and very clear with them,” he said.

A spokesperson for the office of the Australian information
commissioner – who companies must inform about data breaches – did not
confirm whether or not Get had reported the breach.

“We’re aware of the reports about a potential data breach involving
Get. While we can’t comment on the specifics, we would expect any
organisation to act quickly to contain a data breach involving
personal information and assess the potential impact on those
affected,” the spokesperson said.