South China Morning Post
Advertisement
Advertisement
Singapore
Get more with myNEWS
A personalised news feed of stories that matter to you
Learn more
A Reddit user said he discovered the breach on September 5. Photo: Shutterstock
This Week in AsiaEconomics

Singapore-backed student events app Get in data breach, leaving details of 30,000 users at risk

  • Ticketing and payment platform popular at universities across Asia is found to have been compromised, but users have not been told
  • App supported by venture capital arm of state firm Temasek was also breached in 2017, but one expert says it has since failed to put in place ‘basic security measures’
Singapore
Dewey Sim
Dewey Sim
Why you can trust SCMP
An event ticketing and payment app popular with university students across Asia and backed by the venture capital arm of Singapore state investment firm Temasek has suffered a second data breach, potentially exposing the personal details of more than 30,000 users in the city state.

Get, which allows campus clubs and societies to list their social events and sell tickets, repaired the flaw after it was discovered earlier this month, a cybersecurity expert said, but it had yet to notify the users whose information may have been leaked.

Nandakishore Harikumar, CEO of Technisanct Technologies, which is based in Kochi, India, looked into a Reddit user’s comment earlier this month that said he had bought a ticket for a campus event through Get and was eventually able to access a list of other users’ names and details.
The user, who only wanted to be known by his Reddit username Babysharkvic_au, said he was studying machine learning in Australia. He found that by manipulating Get’s application programming interface (API) – the code that allows two applications to talk to each other – through doing searches with the names of campus events misspelt, he could access users’ names, phone numbers, email addresses, dates of birth, and even home addresses.
The app is backed by the venture capital arm of Singapore state firm Temasek. Photo: AFP

“I can confirm there was a breach,” Nandakishore said, adding that Get had now revoked access to the API and SQL, or Structured Query Language, which is computer language used to retrieve data from a database.

The Reddit user said he had emailed Singapore-based Get when he discovered the breach on September 5 but had not heard back. There was no notice on Get’s website about the issue and five students interviewed said they had not received any notification.

Nandakishore said: “Many organisations are little aware about the basic security practices to be followed. They need to inform individual users to change their password.”

But he added that he had not found any of the data being offered for sale on the dark web or other platforms.

Get, which secured US$2.5 million in funding from Temasek’s venture capital arm Vertex Ventures, suffered a first data breach in May 2017 before the firm changed its name from QNect. It is popular in a number of countries and territories including Hong Kong and Australia.

The first breach saw users receive threatening text messages from a hacking group saying their data would be published online, according to Australian media. But the co-founder of the then Sydney-based start-up, Daniel Liang, brushed off the threats, saying hackers possessed no financial information.

Reddit user Babysharkvic_au this month said he had been able to access the personal details of about 30,000 students from Singapore.

He warned users in a Reddit post on Wednesday that they could have been exposed.

“Their lack of a response is a concern, especially since this isn’t the first time they have been hacked,” Babysharkvic_au said.

Among gatherings listed on the app are a venture capital event by Singapore Management University, an arts fiesta by Singapore Polytechnic and a contemporary dance show at Ngee Ann Polytechnic.

Singaporeans using Get expressed concern when told about the breach.

A student who gave her name as Chua said she would be more wary when using it.

“I trust that the developer should have built a system resilient enough to protect data,” she said.

She had bought a ticket to a salsa dance performance.

One expert said the app had failed to put in place ‘basic security measures’. Photo: Shutterstock

Bertrand Ong, a 26-year-old assistant brand manager, said he was more worried his credit card information might be disclosed.

“I have used the app a couple of times to buy tickets for social events, and I did not expect my personal information could be used by others,” he said.

The company should have informed users of the breach, Ong added.

Get did not immediately respond to requests for comment.

Nandakishore said the data breach could have been averted had the company put in place “basic security measures”.

“There are many solutions that offer API security … Basic audits need to be done on a regular basis to ensure both these parts are taken care of,” he said.

Anwitaman Datta, an associate professor at Nanyang Technological University, warned that obtaining users’ personal details was akin to hackers finding a “treasure trove”.

“Information nicely organised and linked to each other is a treasure trove for attackers since they can use this to personalise any targeted attack on a person, and do so at scale,” said Datta, who is also part of the university’s Cyber Security Research Centre.

For example, a hacker would know which particular email address or phone number to target for a phishing attack using a “special birthday offer”, he said.

“Personalised attacks take many forms: befriending the target first or blackmailing the target somehow by giving the false impression that the attacker knows certain things about the victim using the kind of information the attacker gets access to because of the data breach.”

Nandakishore said users needed to be more aware of the implications of placing their details online.

“It’s always a user’s choice,” he said. “Companies holding private data, whether it’s a single name or password, are always liable for securing such information.”

Datta added that while it was inevitable that users would leave a trail of personal information on social media, they could avoid being hacked by not responding to unsolicited emails or phone calls from unknown sources.

“Most attacks, while highly personalised, are not really targeted persistently on an individual basis. So staying off the attackers’ radar by simply not responding is the simplest defence that will work against a wide range of such attacks.”

This article appeared in the South China Morning Post print edition as: Singapore-backed app for students in second data breach
Post