GoGet reveals data breach as police arrest alleged hacker

GoGet and NSW Police have tracked down the suspected hacker behind a newly-disclosed data breach suffered by the car sharing service last year.

GoGet today informed customers of a systems breach that occurred on June 27 2017.

It said an individual had accessed GoGet's fleet booking system in an attempt to use the company's vehicles without permission or payment.

Update: the alleged attacker has been revealed as security researcher Nik Cubrilovic.

The individual also accessed personal data belonging to GoGet members and people who had attempted to create a GoGet account, the company said.

Information accessed by the attacker included names, addresses, email addresses, phone numbers, dates of birth, drivers licence details and "other GoGet administrative account details".

It did not detail how the attacker managed to infiltrate its systems.

The company said while payment data was not accessed, NSW Police was investigating whether the suspect had installed software on GoGet's systems to access payment card details held by a third party for a "small group of individuals" between May 25 and July 27 last year.

GoGet said NSW Police had advised there was no evidence the suspect had disseminated any of the stolen information.

"This has and will continue to be monitored closely by the NSW Police as part of its investigation," CEO Tristan Sender said.

The company said it had not notified customers sooner of the seven-month old breach based on advice from police.

"The strong advice of NSW Police was that notifying affected individuals sooner could jeopardise their investigation and potentially lead to the suspect disseminating the information," the company said.

"GoGet’s number one focus has been to protect its members and any affected individuals and retrieve information potentially accessed by the suspect to prevent any misuse of that information.

"On this basis, GoGet took the view that the best way to secure the information accessed by the suspect was to bring the perpetrator to justice."

The company claims to be Australia's first and largest car sharing service, with close to 100,000 members.

Suspect arrested

NSW Police today said in a separate statement that a 37-year-old Illawarra man had been arrested over the breach, following a search at his Penrose home yesterday.

Police allege the suspect accessed GoGet's fleet booking system more than 30 times between May and July last year.

He has been charged with two counts of unauthorised access, modification, or impairment with intent to commit serious indictable offence; and 33 counts of take and drive conveyance without consent of owner.

The man will appear at Wollongong local court later today and has been refused bail.

Detective superintendent Arthur Katsogiannis praised GoGet's collaborative approach to the investigation.

“It is important to acknowledge the proactive approach taken by this company; not only was the incident swiftly identified and reported to police, they were also diligent in their assistance to detectives," he said.

“I cannot emphasise enough how important the company’s early report and collaborative approach were to the success of the investigation."

GoGet said it had made improvements to its systems based on a review by external cyber security experts to reduce the risk of future breaches.

It advised customers to monitor their bank accounts for discrepancies or unusual activity and to be vigilant to phishing scams.

"We are sorry that this has happened. We take your privacy very seriously and have been working hard to get the best outcome from this police investigation," Sender said.

From February 22 organisations will be required to report any data breaches as soon as practicable under new mandatory data breach notification laws.