Data breach suffered by online service used by SASS, SciSoc, St John’s College

It appears that thousands of students' personal details may have been leaked

An image showing some code and the GET logo

Get, an online service used by a numerous clubs, societies, and student organisations around Australia, has suffered a major data breach, potentially exposing the data of thousands of students.

An anonymous Reddit user flagged the potential breach on Saturday afternoon after noticing vulnerabilities on Get’s website whilst searching for a club from their university. The user then investigated the website’s APIs (a set of functions used by servers to communicate) and found that the search function API revealed the names, emails, phone numbers, and other sensitive information of client’s members.

Speaking to Honi, the user explained that it appeared that the website had now “shut down its functions” in an apparent effort to stem any further leaks. The user clarified that this has by no means resolved the issue however, and that “it looks like there is no putting the genie back in the bottle.”

It appears that systematic attempts were made prior to the shutting down of the website’s functionality to access information. A number of SQL injection attacks were apparently made, which, according to the original Reddit poster, seemed to indicate that hackers had identified the schema of the Get database and obtained specific data. An SQL injection attack is a technique used by hackers to obtain private data.

The original Reddit poster disclosed to Honi that they stumbled upon the issue while investigating a UNSW club, though according to Get’s website, the company services a number of USyd-based organisations, including Sydney University Arts Society, the Sydney Uni Science Society (SciSoc), St John’s College, and several others.

In a statement to Honi, SciSoc President Thomas Williams expressed concern over the apparent breach.

“SciSoc is very, very concerned about the current data leak allegations. We can assure our members that we have never uploaded our private member lists to the site, nor transferred any member lists from QPay to Get, which is allegedly the source of the leak,” Williams said. “As such we hope that the damage to our member’s privacy is nil.”

QPay is an online payment service used by clubs and societies which is often used in conjunction with Get. Some clubs and societies transfer their QPay data to Get, however, not all data sets breached were connected to QPay. QPay is not connected with the source of the breach.

Honi understands that the matter has been referred to the Australian Information Commissioner.

Get rebranded in the past two years following a similar data breach suffered in 2017. Get, then named Qnect, suffered a breach which saw clients’ members’ private details leaked. At the time, Sydney University Law Society was an affected client, though it had severed relations with the company the year before.

Honi has reached out to Get and is awaiting comment.