Singapore-backed student events app Get in data breach, leaving details of 30,000 users at risk
- Ticketing and payment platform popular at universities across Asia is found to have been compromised, but users have not been told
- App supported by venture capital arm of state firm Temasek was also breached in 2017, but one expert says it has since failed to put in place ‘basic security measures’
Get, which allows campus clubs and societies to list their social events and sell tickets, repaired the flaw after it was discovered earlier this month, a cybersecurity expert said, but it had yet to notify the users whose information may have been leaked.
“I can confirm there was a breach,” Nandakishore said, adding that Get had now revoked access to the API and SQL, or Structured Query Language, which is computer language used to retrieve data from a database.
The Reddit user said he had emailed Singapore-based Get when he discovered the breach on September 5 but had not heard back. There was no notice on Get’s website about the issue and five students interviewed said they had not received any notification.
Nandakishore said: “Many organisations are little aware about the basic security practices to be followed. They need to inform individual users to change their password.”
But he added that he had not found any of the data being offered for sale on the dark web or other platforms.
The first breach saw users receive threatening text messages from a hacking group saying their data would be published online, according to Australian media. But the co-founder of the then Sydney-based start-up, Daniel Liang, brushed off the threats, saying hackers possessed no financial information.
Reddit user Babysharkvic_au this month said he had been able to access the personal details of about 30,000 students from Singapore.
He warned users in a Reddit post on Wednesday that they could have been exposed.
“Their lack of a response is a concern, especially since this isn’t the first time they have been hacked,” Babysharkvic_au said.
Among gatherings listed on the app are a venture capital event by Singapore Management University, an arts fiesta by Singapore Polytechnic and a contemporary dance show at Ngee Ann Polytechnic.
Singaporeans using Get expressed concern when told about the breach.
A student who gave her name as Chua said she would be more wary when using it.
“I trust that the developer should have built a system resilient enough to protect data,” she said.
She had bought a ticket to a salsa dance performance.
Bertrand Ong, a 26-year-old assistant brand manager, said he was more worried his credit card information might be disclosed.
“I have used the app a couple of times to buy tickets for social events, and I did not expect my personal information could be used by others,” he said.
The company should have informed users of the breach, Ong added.
Get did not immediately respond to requests for comment.
Nandakishore said the data breach could have been averted had the company put in place “basic security measures”.
“There are many solutions that offer API security … Basic audits need to be done on a regular basis to ensure both these parts are taken care of,” he said.
Anwitaman Datta, an associate professor at Nanyang Technological University, warned that obtaining users’ personal details was akin to hackers finding a “treasure trove”.
“Information nicely organised and linked to each other is a treasure trove for attackers since they can use this to personalise any targeted attack on a person, and do so at scale,” said Datta, who is also part of the university’s Cyber Security Research Centre.
For example, a hacker would know which particular email address or phone number to target for a phishing attack using a “special birthday offer”, he said.
“Personalised attacks take many forms: befriending the target first or blackmailing the target somehow by giving the false impression that the attacker knows certain things about the victim using the kind of information the attacker gets access to because of the data breach.”
Nandakishore said users needed to be more aware of the implications of placing their details online.
“It’s always a user’s choice,” he said. “Companies holding private data, whether it’s a single name or password, are always liable for securing such information.”
Datta added that while it was inevitable that users would leave a trail of personal information on social media, they could avoid being hacked by not responding to unsolicited emails or phone calls from unknown sources.
“Most attacks, while highly personalised, are not really targeted persistently on an individual basis. So staying off the attackers’ radar by simply not responding is the simplest defence that will work against a wide range of such attacks.”