GoGet hacked, waits 6 months to inform customers

Number of accounts affected still being determined.

  • GoGet hacked, waits six months to tell customers
  • Payment details of some customers still at risk
  • 37-year-old charged with 33 joy rides

The personal information of GoGet customers was compromised in a hack, but the drive-sharing company took six months to notify customers to ensure an arrest could be made first.

Names, addresses, email addresses, phone numbers, dates of birth, driver licence information and more were exposed in a hack of GoGet's systems on 27 June 2017.

It's the kind of information that could be used to run a credit check or fraudulently register a prepaid phone.

But GoGet only notified affected customers today, 31 January 2018, once the NSW Cybercrime Squad charged a 37-year-old man with unauthorised access to its database and its fleet of cars.

GoGet chief executive Tristan Sender says there is presently no evidence to suggest people's data has been misused or shared, though NSW Police is still investigating if software was installed on the company's systems to access people's payment card details.

"We are sorry that this has happened. We take your privacy very seriously and have been working hard to get the best outcome from this police investigation," says Sender.

"Although the investigation by NSW Police is ongoing, it appears that the suspect was accessing GoGet's systems in an attempt to use GoGet vehicles without permission," he adds.

GoGet has more than 90,000 members across five Australian cities, but a NSW Police spokesperson says the exact number of accounts that were affected is still being determined.

The hack didn't affect just members; the details of people who tried to create an account were also compromised.

The company says it didn't warn affected customers sooner under the advice of NSW Police, so as not to jeopardise their investigation or lead to the information being shared.

Customers have now been notified after police arrested a suspect at his NSW home yesterday and seized "computers, laptops and electronic storage devices".

The man was charged with two counts of unauthorised access, modification or impairment with intent to commit serious indictable offence, and 33 counts of take and drive conveyance without consent of owner. It's alleged he drove the cars between May and July 2017.

Detective Superintendent Arthur Katsogiannis of the Cybercrime Squad commended GoGet on reporting the hack early.

"It is important to acknowledge the proactive approach taken by this company; not only was the incident swiftly identified and reported to police, they were also diligent in their assistance to detectives."

"I cannot emphasise enough how important the company's early report and collaborative approach were to the success of the investigation."

The man has been refused bail and will appear at Wollongong Local Court later today.