CarShare Australia’s popular car sharing service GoGet has been hit by a massive data breach that may affect all users who joined prior to July 27, 2017.
The company released a statement about the breach, which happened on June 27 2017. A 37-year-old hacker based in New South Wales was behind the breach. He allegedly gained unauthorised access to the company’s fleet booking system and access vehicles without consent.
According to the NSW Police, he has been charged with two counts of unauthorised access, modification, or impairment with intent to commit serious indictable offence; and 33 counts of take and drive conveyance without consent of owner.
He has been refused bail to appear at Wollongong Local Court later today.
All affected GoGet users have been notified. The company says it waited such a long time to tell affected users because notification at any earlier date could have jeopardised the police investigation and led to the hacker spreading information.
“GoGet’s number one focus has been to protect its members and any affected individuals and retrieve information potentially accessed by the suspect to prevent any misuse of that information. On this basis, GoGet took the view that the best way to secure the information accessed by the suspect was to bring the perpetrator to justice,” the company says.
However Webroot senior security analyst Randy Abrams says the situation raises important issues about encryption and responsible disclosure.
“GoGet, and all other businesses owe their customers the protection of encrypted personal data. It is most unfortunate that the use of encryption is not ubiquitous,” Abrams says.
“While we’re all pleased that the perpetrator was brought to justice, this breach brings up many questions on defining what ‘responsible disclosure’ means for companies - especially when it relates to cyber attacks.”
The Australian Information Commissioner and the New South Wales Police’s Cybercrime Squad were both involved in the investigation and, according to the statement, the hacker has been arrested although the company can’t say much about how the breach occurred.
“Although the investigation by NSW Police is ongoing, it appears that the suspect was accessing GoGet’s systems in an attempt to use GoGet vehicles without permission. In the process, as part of his overall activity on the system, it also appears that the suspect has accessed personal information of GoGet’s members and individuals who have previously attempted to create a GoGet account,” GoGet's statement says.
The hacker reportedly stole personal information including names, addresses, email addresses, phone numbers, dates of birth, driver licence details, employer, emergency contact name and phone number, and GoGet administrative account details.
“Cyber-dependent crimes pose a significant risk to the community, for both individuals and business, and are emerging as one of the greatest challenges for law enforcement in the 21st century,” comments Detective Superintendent Arthur Katsogiannis.
GoGet says police are also investigating whether the hacker installed spying software that could access payment card details from a ‘small group of individuals’ who signed up or updated payment details between May 25 and July 27, 2017.
The company stresses that it doesn’t store payment card details on its own system but it does integrate with a third party service.
GoGet says that there is no evidence to suggest the hacker has shared any of the personal information they gained from the attack.
The company hired ‘external cybersecurity experts’ to assessed GoGet’s systems integrity and it says a number of improvements were made to reduce the risk of future incidents.
The NSW Police have praised GoGet for its proactive approach.
“Not only was the incident swiftly identified and reported to police, they were also diligent in their assistance to detectives,” Katsogiannis says.
“I cannot emphasise enough how important the company’s early report and collaborative approach were to the success of the investigation,” Katsogiannis continues.
Affected users do not need to change their passwords, however GoGet is asking everyone to be vigilant.
GoGet offers the following tips if you believe you have been affected: