GoGet alleged 'hacker' revealed as infosec researcher Nik Cubrilovic

A security researcher well known in the Australian infosec community has been revealed as the man charged for allegedly hacking the fleet booking system of car sharing service GoGet.

Cubrilovic speaking at the AusCERT 2016 conference.

Nik Cubrilovic today faced Wollongong court via video link charged with accessing customer data and free rides from GoGet without authorisation.

NSW Police alleges he accessed the GoGet system on more than 30 occasions between May and July last year.

He has been charged with two counts of unauthorised access, modification, or impairment with intent to commit serious indictable offence; and 33 counts of take and drive conveyance without consent of owner.

Cubrilovic is a well-known personality in the Australian infosec community. He previously made headlines for reporting security vulnerabilities with the government's MyGov site in 2014 as well as with Facebook in 2011.

He was today granted bail under conditions he not access the internet or cryptocurrency, surrender his passport, not contact GoGet employees or customers, and report to police three times a week.

iTnews was unable to reach Cubrilovic.

According to the Illawarra Mercury, Cubrilovic had informed GoGet of vulnerabilities in its fleet booking system in 2016, for which GoGet rewarded him by waiving money owed on his account.

But police reportedly allege that a year later he hacked into the system when his girlfriend's account was suspended, creating more than 30 bookings on five different vehicles and each time charging the booking to a stranger's account.

The total cost of the alleged fraud was $3423, the Mercury reported. Cubrilovic's lawyer has labelled the case "totally overblown".

GoGet informed customers of the breach on Wednesday, seven months after it is alleged to have occurred.

The company said it had chosen to hold off on notifying customers of the breach based on police advice; NSW Police said it did not want to alert the attacker to its investigation and risk him publishing the customer data.

GoGet and NSW Police said there was no evidence the suspect had disseminated any of the stolen information, which included customer names, addresses, email addresses, phone numbers, dates of birth, drivers licence details and "other GoGet administrative account details".