Everand Logo

Welcome to Everand!

  • This Week in Asia

    <![CDATA[Singapore-backed student events app Get in data breach, leaving details of 30,000 users at risk]>

    by Dewey Sim Sep 26, 2019 4 minutes

    An event ticketing and payment app popular with university students across Asia and backed by the venture capital arm of Singapore state investment firm Temasek has suffered a second data breach, potentially exposing the personal details of more than 30,000 users in the city state.

    Get, which allows campus clubs and societies to list their social events and sell tickets, repaired the flaw after it was discovered earlier this month, a cybersecurity expert said, but it had yet to notify the users whose information may have been leaked.

    Nandakishore Harikumar, CEO of Technisanct Technologies, which is based in Kochi, India, looked into a Reddit user's comment earlier this month that said he had bought a ticket for a campus event through Get and was eventually able to access a list of other users' names and details.

    The user, who only wanted to be known by his Reddit username Babysharkvic_au, said he was studying machine learning in Australia. He found that by manipulating Get's application programming interface (API) " the code that allows two applications to talk to each other " through doing searches with the names of campus events misspelt, he could access users' names, phone numbers, email addresses, dates of birth, and even home addresses.

    The app is backed by the venture capital arm of Singapore state firm Temasek. Photo: AFP alt=The app is backed by the venture capital arm of Singapore state firm Temasek. Photo: AFP

    "I can confirm there was a breach," Nandakishore said, adding that Get had now revoked access to the API and SQL, or Structured Query Language, which is computer language used to retrieve data from a database.

    The Reddit user said he had emailed Singapore-based Get when he discovered the breach on September 5 but had not heard back. There was no notice on Get's website about the issue and five students interviewed said they had not received any notification.

    Nandakishore said: "Many organisations are little aware about the basic security practices to be followed. They need to inform individual users to change their password."

    But he added that he had not found any of the data being offered for sale on the dark web or other platforms.

    Get, which secured US$2.5 million in funding from Temasek's venture capital arm Vertex Ventures, suffered a first data breach in May 2017 before the firm changed its name from QNect. It is popular in a number of countries and territories including Hong Kong and Australia.

    The first breach saw users receive threatening text messages from a hacking group saying their data would be published online, according to Australian media. But the co-founder of the then Sydney-based start-up, Daniel Liang, brushed off the threats, saying hackers possessed no financial information.

    Reddit user Babysharkvic_au this month said he had been able to access the personal details of about 30,000 students from Singapore.

    He warned users in a Reddit post on Wednesday that they could have been exposed.

    "Their lack of a response is a concern, especially since this isn't the first time they have been hacked," Babysharkvic_au said.

    Among gatherings listed on the app are a venture capital event by Singapore Management University, an arts fiesta by Singapore Polytechnic and a contemporary dance show at Ngee Ann Polytechnic.

    Singaporeans using Get expressed concern when told about the breach.

    A student who gave her name as Chua said she would be more wary when using it.

    "I trust that the developer should have built a system resilient enough to protect data," she said.

    She had bought a ticket to a salsa dance performance.

    One expert said the app had failed to put in place 'basic security measures'. Photo: Shutterstock alt=One expert said the app had failed to put in place 'basic security measures'. Photo: Shutterstock

    Bertrand Ong, a 26-year-old assistant brand manager, said he was more worried his credit card information might be disclosed.

    "I have used the app a couple of times to buy tickets for social events, and I did not expect my personal information could be used by others," he said.

    The company should have informed users of the breach, Ong added.

    Get did not immediately respond to requests for comment.

    Nandakishore said the data breach could have been averted had the company put in place "basic security measures".

    "There are many solutions that offer API security ... Basic audits need to be done on a regular basis to ensure both these parts are taken care of," he said.

    Anwitaman Datta, an associate professor at Nanyang Technological University, warned that obtaining users' personal details was akin to hackers finding a "treasure trove".

    "Information nicely organised and linked to each other is a treasure trove for attackers since they can use this to personalise any targeted attack on a person, and do so at scale," said Datta, who is also part of the university's Cyber Security Research Centre.

    For example, a hacker would know which particular email address or phone number to target for a phishing attack using a "special birthday offer", he said.

    "Personalised attacks take many forms: befriending the target first or blackmailing the target somehow by giving the false impression that the attacker knows certain things about the victim using the kind of information the attacker gets access to because of the data breach."

    Nandakishore said users needed to be more aware of the implications of placing their details online.

    "It's always a user's choice," he said. "Companies holding private data, whether it's a single name or password, are always liable for securing such information."

    Datta added that while it was inevitable that users would leave a trail of personal information on social media, they could avoid being hacked by not responding to unsolicited emails or phone calls from unknown sources.

    "Most attacks, while highly personalised, are not really targeted persistently on an individual basis. So staying off the attackers' radar by simply not responding is the simplest defence that will work against a wide range of such attacks."

    This article originally appeared on the South China Morning Post (SCMP).

    Copyright (c) 2019. South China Morning Post Publishers Ltd. All rights reserved.

    More from This Week in Asia

    This Week in Asia4 min read
    Is Japan 'Xenophobic'? Biden's Remarks Spark Anger, Debate Over Cultural Differences
    Comments made by US President Joe Biden in which he described Japan as "xenophobic" have caused an uproar among the Japanese, with some saying he was "wrong" to use the term, while others argued that accepting more foreigners might mean ending up lik
    This Week in Asia4 min read
    Pay Hike For Malaysia's 'Lazy' Civil Servants Sparks Discontent, Inflation Worries
    An across-the-board pay hike for Malaysia's civil servants has stirred worries over inflation and grumbles from the public over alleged preferential treatment for a key vote bank represented by a mainly Malay bureaucracy infamous for its inefficiency
    This Week in Asia3 min readIntelligence (AI) & Semantics
    Microsoft To Invest US$2.2 Billion In Malaysia, As Silicon Valley Eyes Bigger Southeast Asia Footprint
    Microsoft will invest US$2.2 billion in Malaysia to develop cloud technology and artificial intelligence, in the company's biggest investment in the country unveiled on Thursday by the chief executive of the world's largest company during his whirlwi

    Related Books & Audiobooks