This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

GET Education

Summary

GET Education, an online event ticketing platform used by university student societies and clubs, suffered a major data breach in September 2019 that exposed the personal information of approximately 50,000 Australian university students. The breach, described as "alarming" by cybersecurity experts, occurred due to a security misconfiguration that left student data publicly accessible. Students from prestigious universities including UNSW, University of Sydney, St John's College, and others were affected.

What Happened

Misconfiguration. GET's ticketing system was improperly configured, leaving student databases publicly accessible without requiring authentication. The vulnerability meant that anyone who knew where to look could access students' personal information including names, email addresses, phone numbers, dates of birth, and home addresses. The data was exposed through the platform used by student organisations like the Sydney University Science Society (SciSoc), Sydney Arts Students' Society (SASS), and St John's College for managing event ticketing and registrations. The breach was discovered by a security researcher who alerted GET to the exposure.

Impact on Individuals

  • Comprehensive Data Exposure: Names, email addresses, phone numbers, dates of birth, and residential addresses exposed
  • Student Targeting: Young adults particularly vulnerable to scams, phishing, and identity theft
  • Phishing Risk: Detailed student contact information enabled highly targeted university-themed scams
  • Identity Theft: Combination of personal details sufficient for various forms of fraud
  • Privacy Concerns: Information about students' club memberships and event attendance revealed
  • Long-term Risk: Student data valuable for future targeting as graduates enter workforce

The breach was particularly concerning because it affected young people at a vulnerable life stage, many living independently for the first time.

Response

GET Education immediately secured the exposed database and launched an investigation into the breach. The company notified affected students and the universities whose student organisations used the platform. GET apologised for the incident and engaged cybersecurity experts to conduct a comprehensive security review of its systems. The platform implemented enhanced security measures and access controls to prevent similar exposures. Affected universities advised their student societies about the breach and recommended students monitor their accounts for suspicious activity. The incident prompted discussions within Australia's university sector about the security practices of third-party service providers used by student organisations and clubs. +++

Verification Source: View original statement