Advertisement
Singapore
This Week in AsiaEconomics

Singapore-backed student events app Get in data breach, leaving details of 30,000 users at risk

  • Ticketing and payment platform popular at universities across Asia is found to have been compromised, but users have not been told
  • App supported by venture capital arm of state firm Temasek was also breached in 2017, but one expert says it has since failed to put in place ‘basic security measures’

Reading Time:4 minutes
Why you can trust SCMP
A Reddit user said he discovered the breach on September 5. Photo: Shutterstock
Dewey Simin Beijing
An event ticketing and payment app popular with university students across Asia and backed by the venture capital arm of Singapore state investment firm Temasek has suffered a second data breach, potentially exposing the personal details of more than 30,000 users in the city state.

Get, which allows campus clubs and societies to list their social events and sell tickets, repaired the flaw after it was discovered earlier this month, a cybersecurity expert said, but it had yet to notify the users whose information may have been leaked.

Nandakishore Harikumar, CEO of Technisanct Technologies, which is based in Kochi, India, looked into a Reddit user’s comment earlier this month that said he had bought a ticket for a campus event through Get and was eventually able to access a list of other users’ names and details.
Advertisement
The user, who only wanted to be known by his Reddit username Babysharkvic_au, said he was studying machine learning in Australia. He found that by manipulating Get’s application programming interface (API) – the code that allows two applications to talk to each other – through doing searches with the names of campus events misspelt, he could access users’ names, phone numbers, email addresses, dates of birth, and even home addresses.
The app is backed by the venture capital arm of Singapore state firm Temasek. Photo: AFP
The app is backed by the venture capital arm of Singapore state firm Temasek. Photo: AFP
Advertisement

“I can confirm there was a breach,” Nandakishore said, adding that Get had now revoked access to the API and SQL, or Structured Query Language, which is computer language used to retrieve data from a database.

The Reddit user said he had emailed Singapore-based Get when he discovered the breach on September 5 but had not heard back. There was no notice on Get’s website about the issue and five students interviewed said they had not received any notification.

Advertisement
Select Voice
Choose your listening speed
Get through articles 2x faster
1.25x
250 WPM
Slow
Average
Fast
1.25x