The personal information of GoGet customers was compromised in a hack, but the drive-sharing company took six months to notify customers to ensure an arrest could be made first.
Names, addresses, email addresses, phone numbers, dates of birth, driver
licence information and more were exposed in a hack of GoGet's
systems on 27 June 2017.
It's the kind of information that could be used to run a credit check or
fraudulently register a prepaid phone.
But GoGet only notified affected customers today, 31 January 2018, once the
NSW Cybercrime Squad charged a 37-year-old man with unauthorised access to
its database and its fleet of cars.
GoGet chief executive Tristan Sender says there is presently no evidence to
suggest people's data has been misused or shared, though NSW Police is
still investigating if software was installed on the company's systems to
access people's payment card details.
"We are sorry that this has happened. We take your privacy very seriously
and have been working hard to get the best outcome from this police
investigation," says Sender.
"Although the investigation by NSW Police is ongoing, it appears that the
suspect was accessing GoGet's systems in an attempt to use GoGet vehicles
without permission," he adds.
GoGet has more than 90,000 members across five Australian cities, but a NSW Police
spokesperson says the exact number of accounts that were affected is still being determined.
The hack didn't affect just members; the details of people who tried to
create an account were also compromised.
The company says it didn't warn affected customers sooner
under the advice of NSW Police, so as not to jeopardise
their investigation or lead to the information being shared.
Customers have now been notified after police arrested a suspect
at his NSW home yesterday and seized "computers, laptops and electronic storage devices".
The man was charged with two counts of unauthorised access, modification or
impairment with intent to commit serious indictable offence, and 33 counts
of take and drive conveyance without consent of owner. It's alleged he drove the cars between May and July 2017.
Detective Superintendent Arthur Katsogiannis of the Cybercrime Squad
commended GoGet on reporting the hack early.
"It is important to acknowledge the proactive approach taken by this
company; not only was the incident swiftly identified and reported to
police, they were also diligent in their assistance to detectives."
"I cannot emphasise enough how important the company's early report and
collaborative approach were to the success of the investigation."
The man has been refused bail and will appear at Wollongong
Local Court later today.