The personal details of an estimated 50,000 students involved in university clubs and societies around Australia may have been exposed online, in the second breach of its kind for the company holding the data.
Get, previously known as Qnect, is an app built for university societies and clubs to facilitate payments for events and merchandise. The app operates in four countries with 159,000 active student users, and 453 clubs using it.
A user on Reddit reported over the weekend that after looking up their own club they were able to get access to other users’ data, including name, email, date of birth, Facebook ID and phone numbers, through the company’s search function, API.
They said they were able to send requests for data without special tokens provided for legitimate access to the service, meaning anyone could request the information.
In response on Sunday, Get posted on its website that it had made a change to prevent that happening and had begun telling organisations about the potential breach.
The company said it was reviewing the API calls to see what data might have been accessed.
“If we become aware of any specific information which has been compromised we will notify the organisations, their members and report a breach,” the company said. “No personal payment information is stored in Get’s databases and payments are processed by a secure third-party payment processor, responsible for many of the world’s online transactions.”
Guardian Australia has attempted to contact Get about the breach.
The user who found the breach told Guardian Australia in a message over Reddit that they had decided to remain anonymous in case Get had a negative response to the finding, but had tried several times to contact the company.
“I’ve reached out to Get around six times over the weekend, but haven’t heard back. I did read their response, but it’s sadly a non-response,” they said.
“Locking the service down is definitely a good first step, but there is no genie back in the bottle (the oldest dataset I saw was 16 months old), and that data is already out in the wild – the least they can do is let people know what was released so that people can take steps to protect themselves.”
Get rebranded last year following a data breach that resulted in members of societies and clubs using the platform being threatened with having their data released by a hacking group, unless then-Qnect paid the hackers in bitcoin.
Co-founder Daniel Liang said at the time that media had blown up in the incident, and the company had been “very transparent”.
“When you’re talking about students’ data and payments, it’s a sensitive thing. We always kept our community up to date, we were very transparent and very clear with them,” he said.
A spokesperson for the office of the Australian information commissioner – who companies must inform about data breaches – did not confirm whether or not Get had reported the breach.
“We’re aware of the reports about a potential data breach involving Get. While we can’t comment on the specifics, we would expect any organisation to act quickly to contain a data breach involving personal information and assess the potential impact on those affected,” the spokesperson said.