A Sydney startup has had its customer data stolen with the hackers threatening to publish the information unless bitcoins are paid out.
Customers of ticketing platform Qnect, which is widely used by the university sector for organising social events, this week received SMS messages stating that their personal data has been stolen and urged the recipient to pressure co-founder Ryan Chen and chief technology officer Ruslan Starikov into paying the ransom.
In a message to customers late on Tuesday night, Qnect co-founder and chief executive Daniel Liang said that the Australian Federal Police had been called in.
“I can confirm that this person does not have any financial information, and all card information is stored with 3rd party payments processor Stripe,” he said in an email to customers.
“Please ignore this person, as they are currently just harrassing our community. If they have texted you the maximum they will have is your name, e-mail, phone number to text you on.”
Business Insider has contacted the Australian Federal Police for comment. Liang could not be reached at the time of writing.
A group called RavenCrew has claimed responsibility for the hack, which may have exploited a security hole pointed out Monday afternoon by customer Tommaso Armstrong.
Armstrong pointed out on Twitter that any telephone number can be inputted into the Qnect system when purchasing a ticket and if it matches a number already in the system then it brings up that person’s other contact details, such as name, email address, student ID and degree.
Security expert Troy Hunt told Business Insider on Wednesday before the SMS scandal broke that such a loophole is “enormously irresponsible”.
“It put the privacy of their members at risk. In no way should they be returning personal data to the world in this way.”
— Tommaso Armstrong (@tommarmstrong) May 29, 2017
On social media, various university groups have posted messages to members to stay calm if they receive the threatening SMS. UNSW Law Society, UNSW Engineering Society, Sydney University Law Society and Macquarie University Business Society are just some of the many clubs that have been impacted.
Some of the societies, such as UNSW Law Society, have even suggested members contact Qnect to have their personal information deleted.
Liang and Chen founded Qnect in 2015, with the business selling 300,000 tickets by last month off a user base of 51,000. The startup takes a 5% to 10% commission from sold tickets as its revenue.