GoGet Hacker Previously Advised Company On Security Flaws, Court Told

Image: GoGet

A self-confessed computer hacker accused of illegally accessing the customer database of car-share company GoGet had previously advised the company on flaws in its software system that could make it vulnerable to cyber attack, a court has heard.

Nik Cubrilovic, 37, from Penrose in the Southern Highlands, was the holder of a legitimate GoGet account in mid-2016 when he sent the online company a series of emails advising them he had identified vulnerabilities in their operating systems.

Suspect Charged With Hacking GoGet's Customer Database, 'Stealing' Cars

NSW Police Detectives from the Cybercrime Squad have arrested and charged an Illawarra man who allegedly gained "unauthorised access" to GoGet's fleet booking system, using the information to "access cars" more than 30 times in a three month period in 2017.</p> <p>The booking system contained customer information, and GoGet have issued a statement detailing what this data breach means for members. Here's everything you need to know.

Read more

Cubrilovic, who advertises himself as a “former hacker turned security consultant”, has previously made headlines for his work in exposing cyber security flaws, including on the Australian government’s MyGov website and Facebook.

GoGet rewarded Cubrilovic for his advice at the time by waiving money owed on his account, which he then closed a short time later.

However, police will allege Cubrilovic used his advanced hacking skills a year later to access GoGet’s customer database when his girlfriend’s account was suspended.

It is alleged he create more than 30 bookings on five different vehicles, including an Audi A3 Convertible, over a two-month period, each time charging the vehicle hire fee to a stranger’s account. The total cost of the fraud was $3423, police said.

Meantime, police claim GPS data from the cars shows they were predominantly driven between Cubrilovic’s then home address in Neutral Bay and the home of his parents in Penrose, a two-hour drive away.

That investigation culminated in officers raiding the Penrose property on Tuesday morning and seizing Cubrilovic’s mobile phone and computer, which they believe he used to carry out the alleged crime.

Cubrilovic was arrested at the scene and charged with two counts of unauthorised access with intent to commit a serious indictable offence and 33 counts of taking a car without owner consent.

Police opposed Cubrilovic’s application for bail, claiming there was a risk he could use his technical skills to flee the country or tamper with evidence contained on cloud-based software.

“During this offence the accused stole a sizeable database of identification details,” documents tendered to the court said.

“During investigations it was found he used three different phone numbers subscribed with different fake details.

“Investigators believe that if the accused is granted bail he will delete evidence and may use stolen identity details to create [a] fake identity [to] evade police and the courts.”

Sergeant Ryan labelled Cubrilovic’s alleged behaviour a “sophisticated, ongoing course of conduct” that would likely land him a full-time jail sentence if he was convicted of the charges against him.

However, defence lawyer Matt Russoniello argued the case against Cubrilovic had been “totally overblown” and was no different to any other fraud case that came before the courts – a submission which was rejected by Magistrate Mark Douglass.

Mr Russoniello denied Cubrilovic was a flight risk, saying he had strong ties to the Illawarra, a limited criminal history and would agree to abide by any conditions imposed by the court.

Mr Douglass agreed to grant Cubrilovic bail but banned him from accessing the internet or having anyone access it on his behalf.

“The way in which this was done generates concern and can’t be trivialised,” he said.

Cubrilovic will also be required to live with his parents at the Penrose property, report to police three times a week, surrender his passport and agree not to contact any witnesses or GoGet employees.

Cubrilovic was supported in court on Wednesday by his brother. Neither man spoke to waiting media after Cubrilovic was released from custody on Wednesday evening.

The case will return to court on April 24 in Sydney.

GoGet staff first identified the alleged unauthorised activity on July 27 last year. They alerted police, who created Strike Force Artsy to investigate.

After extensive inquiries culminated in the execution of a search warrant, police arrested Mr Cubrilovic, 37, at his Penrose home on Tuesday.

In 2014, Mr Cubrilovic was interviewed by Fairfax Media after he revealed vulnerabilities in the federal government’s myGov website that left millions of Australians’ private information exposed.

He demonstrated how one of the security flaws enabled him to hijack the account of any registered myGov user.

He also made international news in 2011 when he revealed how Facebook was tracking users’ web activity even when they were logged out of the social networking site.

In an email alerting customers to the breach on Wednesday morning, GoGet chief executive Tristan Sender members’ personal information was accessed as part of the hacking activity.

However, it’s not believed at this stage that the information was disseminated, nor that Mr Cubrilovic had any intention to use it beyond getting himself free rides.

“We are sorry that this has happened,” Mr Sender said in the statement, also explaining that the breach was not initially disclosed to customers at the request of NSW Police.

“We take your privacy very seriously and have been working hard to get the best outcome from this police investigation.”

A web page has been set up for affected customers to access support.

​Cybercrime Squad Commander, Detective Superintendent Arthur Katsogiannis, acknowledged the “proactive approach” taken by GoGet as key to the result. “Not only was the incident swiftly identified and reported to police, they were also diligent in their assistance to detectives,” he said.

GoGet is an Australian car-sharing service whose members pay an annual or monthly fee for membership, and can then book online to get access to one of the company’s cars, which are located throughout major cities.

The company said it had commissioned a comprehensive security review of its systems, and that a number of improvements were being made.