#privacy: Data breach in Australia may have hit 50,000 university students using “Get” app

Texas

Students in Australia who have downloaded Get, an events-scheduling app, may have had their private data compromised on the Internet.

Around 50,000 students are believed to have been caught up in the potential breach, which has shaken university clubs and societies across Australia. The incident is the second leak of its kind linked to the company holding the information.

Previously known as Qnect, the Get app is integrated into student societies and clubs to help support financial transactions for events and merchandise. The app works in four countries in total, and has an active user-base of almost 160,000 students and 453 clubs.

Alarms were first raised on Reddit, where a student reported that they had been able to access other users’ data while looking for their own club through Get. The flag-raiser said they were able to see other students’ names, emails, birth dates, Facebook identities and phone numbers, by going through the company’s search function, API.

The person said they were also able to send requests for information without authentication to access such data legitimately, meaning anyone could have been able to get their hands on the private data.

In response, Get has said that a change has been made in its app to close the loophole, and that other organisations have been notified about the breach.

The company said that it was conducting a review of the API calls to investigate which data might have been compromised.

“Get is continuing its thorough investigations into the alleged data breach. We appreciate the patience of our partner clubs, many of whom we have been in open and honest communication with over the previous days. Should we discover that any data was obtained from our database we will contact affected individuals.  In the meantime, users of our platform should, as always, remain wary of any unusual phone calls, text messages or emails,” the Get statement read.

“If we become aware of any specific information which has been compromised we will notify the organisations, their members and report a breach,” the company said. “No personal payment information is stored in Get’s databases and payments are processed by a secure third-party payment processor, responsible for many of the world’s online transactions,” the statement added.

Get co-founder, Daniel Liang, said that the firm had been “very transparent.”

“When you’re talking about students’ data and payments, it’s a sensitive thing. We always kept our community up to date, we were very transparent and very clear with them,” he said.

A spokesperson for the office of the Australian Information Commissioner said:

“We’re aware of the reports about a potential data breach involving Get. While we can’t comment on the specifics, we would expect any organisation to act quickly to contain a data breach involving personal information and assess the potential impact on those affected.”


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/