Suspect Charged With Hacking GoGet’s Customer Database, ‘Stealing’ Cars

Suspect Charged With Hacking GoGet’s Customer Database, ‘Stealing’ Cars
Image: GoGet

NSW Police Detectives from the Cybercrime Squad have arrested and charged an Illawarra man who allegedly gained “unauthorised access” to GoGet’s fleet booking system, using the information to “access cars” more than 30 times in a three month period in 2017.

The booking system contained customer information, and GoGet have issued a statement detailing what this data breach means for members. Here’s everything you need to know.

Cybercrime Squad Commander, Detective Superintendent Arthur Katsogiannis, says at this stage, it doesn’t appear that any of the downloaded information, which included customer details and “a small number of payment card details”, has “been used fraudulently or further disseminated”.

Inquiries are ongoing, however, so this may change.

GoGet revealed on 27 June 2017, the company’s IT team “identified suspected unauthorised activity on its system and a full internal investigation was immediately commenced”.

Police praised GoGet’s quick action notifying the Cybercrime Squad, which it worked closely with.

“We are sorry that this has happened,” GoGet CEO, Tristan Sender, said. “We take your privacy very seriously and have been working hard to get the best outcome from this police investigation.”

“We thank you for your ongoing support of GoGet.”

GoGet has contacted “all affected individuals” to let them know about the breach, and has confirmed if you are a member who joined after 27 July 2017, you’re safe.

“Only individuals who signed up to our service or updated their payment card details between the dates of 25 May 2017 and 27 July 2017 may have had their payment card details accessed.”

“The personal information accessed by the suspect depends on what information was provided to GoGet by the individual when they became, or attempted to become, a member,” GoGet confirmed, “This includes: name, address, email address, phone number, date of birth, driver licence details, employer, emergency contact name and phone number, and GoGet administrative account details.”

GoGet says it does not store payment card details on its system, instead using a third-party gateway.

For more information, GoGet has set up a webpage to answer any questions you may have.

Police say the quick actions by GoGet ensured an arrest could take place – an unusual and welcome result in a case like this.

“It is important to acknowledge the proactive approach taken by this company; not only was the incident swiftly identified and reported to police, they were also diligent in their assistance to detectives,” Katsogiannis said.

“I cannot emphasise enough how important the company’s early report and collaborative approach were to the success of the investigation. By combining the tools, expertise, and investigative capability of NSW Police Force investigators with industry experts and professionals we can have a real impact on cybercrime now and into the future.”

Strike Force Artsy detectives teamed up with the Public Order and Riot Squad to search the suspect’s home at Penrose yesterday morning, where computers, laptops, and electronic storage devices were seized.

The 37-year-old man was arrested and taken to Lake Illawarra Police Station, where he was charged with “two counts of unauthorised access, modification, or impairment with intent to commit serious indictable offence; and 33 counts of take and drive conveyance without consent of owner” NSW Police revealed.

Bail has been refused, and he will appear in court later today.