Get app exposes personal information of nearly 50,000 university students

• The personal details of roughly 50,000 students involved in university societies and clubs around Australia have been exposed online due to a vulnerability in Get app.
• Upon learning the incident, Get’s engineering team took immediate steps to address the potential vulnerability by reviewing and tokenizing all API calls.

What is the issue?

The personal details of roughly 50,000 students involved in university societies and clubs around Australia have been exposed online due to a vulnerability in Get app.

Get, previously known as Qnect, is an online ticketing service used by university societies and clubs to facilitate payments for events and merchandise. According to its website, Get has more than 159,000 students from 453 university societies and clubs in its community.

What happened?

On September 7, 2019, Get app learned about a potential vulnerability in its systems that could expose the personal information of students. Upon which, the online ticketing service immediately launched an investigation on the incident.

What was exposed?

Get app users claimed that they were able to access users’ data including names, dates of birth, email addresses, Facebook IDs, and phone numbers, through the company’s search function API.

Meanwhile, an engineering student from the University of Canberra told ABC that he found the personal data of about 200,000 users dating back more than a year.

• The student added that he found searches that led him to believe hackers had tried to access the information, including SQL injection attempts.
• He also found queries for the last four digits of a credit card and names on hashed passwords.

However, Get confirmed that no personal payment information is stored in its databases and all payments are processed by a secure third-party payment processor.

What actions have been taken?

• Upon learning about the incident, Get’s engineering team took immediate steps to address the potential vulnerability by reviewing and tokenizing all API calls.
• The online ticketing app promptly reviewed all API calls to determine what data had been accessed.
• It has also notified the organizations who use its platform about the incident and the actions taken in response.

“We appreciate the patience of our partner clubs, many of whom we have been in open and honest communication with over the previous days. Should we discover that any data was obtained from our database we will contact affected individuals. In the meantime, users of our platform should, as always, remain wary of any unusual phone calls, text messages or emails,” Get said in the latest update.