A well-known cyber security consultant has been charged over a data breach at Australian car sharing service GoGet that potentially compromised the personal information of its users.
Nik Cubrilovic, 37, was arrested and appeared in Wollongong Local Court.
He was charged with two counts of unauthorised access, modification or impairment with intent to commit serious indictable offence and 33 counts of take and drive conveyance without consent of owner.
GoGet confirmed in a statement last Wednesday that it had identified unauthorised activity in its system in June last year. GoGet CEO Tristan Sender said the company immediately launched a full internal investigation and reported the matter to the New South Wales Police Cybercrime Squad.
“We are sorry that this has happened,” Sender said.
“We take your privacy very seriously and have been working hard to get the best outcome from this police investigation.”
The company has only just notified users that their personal data may have been accessed, six months after the incident.
GoGet said that it did not advise its users of the breach earlier on advice from NSW police.
“The strong advice of NSW Police was that notifying affected individuals sooner could jeopardise their investigation and potentially lead to the suspect disseminating the information,” the company said in a statement.
“GoGet’s number one focus has been to protect its members and any affected individuals and retrieve information potentially accessed by the suspect to prevent any misuse of that information.”
“With the assistance of company staff, investigators identified that unauthorised access was gained into the company’s fleet booking system and customer identification information from the database was downloaded,” police said in the statement.
This information was used to access GoGet vehicles without consent more than 30 times between May and July last year.
Sender said that there is no indication this information has been spread by the hacker.
“Based on advice from the NSW Policy Cybercrime Squad, at this time there is no evidence that the suspect has disseminated any of the personal information of affected individuals,” he said.
GoGet members, past members and anyone who attempt to sign up to the car share service in the past may have been impacted by the breach. The company said it has now reached out to any users that may have been affected specifically.
Any user who signed up after 27 July, 2017 was not impacted by the breach.
The compromised information is anything that a user has told GoGet, potentially including, name, address, email address, phone number, date of birth, driver licence details, employer, phone number and emergency contact name.
NSW Police is also investigating whether the hacker installed software into GoGet’s system in order to access payment information of a “small group” of users. The company said that it does not store payment details and instead integrates with an external third-party payment gateway, but users who signed up between 25 May and 27 July may have had their credit card details accessed.
These users have been advised to review and monitor their credit reports and account statements.
GoGet has since brought in external cyber security experts to help make improvements on the company’s cyber security, and has also informed the Office of the Australian Information Commissioner about the breach.
It comes just weeks before Australia’s Mandatory Data Breach Notification laws come into effect, requiring companies to inform customers within 30 days of a breach if the data accessed would “be likely to result in serious harm to any of the individuals to whom the information relates.”
Failure to do this could lead to a fine of $1.8 million for a company and $360,000 for an individual.
At the end of last year it was revealed that ridesharing giant Uber had paid off a group of hackers to cover up a huge breach of its users’ personal data in 2016. The names, email addresses and phone numbers of 50 million Uber users were stolen, while the driver’s licence numbers of seven million drivers were also compromised.
Uber was legally obligated to report the breach to US authorities, but instead paid a ransom to the hackers to keep it quiet.