An Australian online ticket start-up company, Get, reportedly suffered a “potential data leak” which led to personal details of thousands of people to be exposed.

Get, a Sydney-based company founded in 2016, manages memberships and allows students from various university clubs and associations to sell tickets to events in four countries. The company has more than 159,000 students users from 453 different societies and clubs.

Over the weekend, a University of Canberra software engineering student posted the news on social media, ABC reports. The student, who asked to remain anonymous, said he found the data when applying for a club membership and found a list of people who were a part of the society right on the website. After a quick search, he was able to find the personal data for about 200,000 users. This information included email addresses, phone numbers, birth dates, and student numbers. He reported this information to Get and the universities that were impacted.

Ticket Flipping's toolbox of ticket broker tools

Get posted the news on its website, noting that the company “immediately acted” after learning about the “potential vulnerability” in its systems.

“If we become aware of any specific information which has been compromised we will notify the organisations, their members and report a breach,” the company’s statement said. “No personal payment information is stored in Get’s databases and payments are processed by a secure third-party payment processor, responsible for many of the world’s online transactions.”

At this time, Get is still investigating the potential leak and said that it would provide another update once more details become available.

The Office of the Australian Information Commissioner, Australia’s national privacy regulator, told ABC that it was aware of reports of a potential data breach involving Get and while they could not provide specific information, they “expect any organisation to act quickly to contain a data breach involving personal information and assess the potential impact on those affected.”

“If it’s likely to result in serious harm, and the organization is covered by the privacy act, they must notify the people who are affected and the OAIC as quickly as possible,” a spokesman for the office said.