Over 50,000 university students have had their private data breached as part of a significant incident at payment and ticketing platform Get.
Get, which services student clubs running events throughout the country, had left the names and contact details of customers visible through its interfaces for an unknown period before a user discovered the error on Saturday.
While the company has since blocked off access to this information, the user, who wished to remain nameless for fears of retaliation from Get, said there was evidence others had accessed the data thousands of times before.
“There were easily thousands [of breaches],” they told The Australian Financial Review. “Though there was no way to differentiate each attempt – it could’ve been all the same person, or each a different person on the other extreme.”
The user was also able to provide an extract of the database that was then able to be verified to hold the mobile phone numbers of several students.
The user said a search of the database for phone numbers with an Australian area code turned back more than 50,000 results, which also had email addresses attached to the profiles.
The scale of the breach represented nearly a third of the 159,000 students active on Get’s platform. Meanwhile, the company also counts 453 student societies in four countries on its service.
Major Australian student clubs using Get include Sydney University Cricket Cub, UNSW Engineering Society and Griffith Business Students Association, among others.
Get was approached for comment but did not respond; however, the company has acknowledged the breach on its website.
“We are continuing our investigations and will provide a further update when it becomes available,” it said in a statement.
While the company did not make any comment on the size and information revealed in the breach, it is likely the incident falls under the Notifiable Data Breaches scheme under the Privacy Act.
The scheme compels Get to notify the Office of the Australian Information Commissioner of the data breach, and promptly inform the individuals affected.
However, students whose names and contact details appear say Get has yet to contact them.
On the other hand, an OAIC spokesman was unable to confirm whether the company had reported the breach.
“We’re aware of the reports about a potential data breach involving Get,” the spokesman said. “While we can’t comment on the specifics, we would expect any organisation to act quickly to contain a data breach involving personal information and assess the potential impact on those affected.”
“We advise individuals to respond quickly when they’re notified and take the appropriate action, such as changing passwords, checking accounts and credit reports, and watching out for scams.”
This breach is not the first time Get has been in hot water over a data breach. Just last year, when it was then known as Qnect, a hacking group threatened users that it would publish their information online unless the company paid it in bitcoin.
Source: Financial Review
A data breach that has caused more than 50,000 university students to have their personal information publicly available on a booking platform’s website. Luckily the platform has responded to this breach and have blocked that page containing the personal information. They have also started investigating into how this breach occurred.
Visit our Technology Centre and make your first purchase with us today!