Popular car-sharing company GoGet has disclosed a major data breach seven months after it was first detected in June 2017 as the alleged hacker was arrested by Australian police this week. In an email sent to customers on Wednesday (31 January), the firm said its IT team identified "unauthorised activity" on its system on 27 June last year and immediately launched a full internal investigation.
The incident was reported to the New South Wales Police Cybercrime Squad who confirmed their investigation culminated with the arrest of a 37-year-old man from Illawarra this week.
Between May and July last year, the man allegedly illegally accessed the service's database and downloaded customers' personal data on two occasions and used it to access vehicles on at least 33 occasions without consent.
Assisted by the Public Order and Riot Squad, Strike Force Artsy detectives arrested the man at a home in Penrose early Tuesday morning and seized computers, laptops and electronic storage devices. The man has been charged with two counts of unauthorised access, modification, or impairment with intent to commit serious indictable offence along with 33 counts of take and drive conveyance without consent of the owner.
According to GoGet, the data compromised varies based on what information customers stored in their accounts. The compromised data includes customers' names, addresses, email addresses, phone numbers, dates of birth, driver's license details, employers, emergency contact details and GoGet administrative account details.
Law enforcement authorities are also investigating whether the suspect was responsible for installing malware on GoGet's systems designed to swipe the payment card details of a "small group of individuals" when they signed up for the service online or updated their payment card details on their GoGet accounts.
GoGet has said they do not store payment card details on its system but integrates with an external, third-party gateway service. Customers who signed up for the service or updated their payment card details between 25 May and 27 July 2017 may have had their data compromised.
The company has about 90,000 customers and 2,300 cars across Melbourne, Sydney, Brisbane, Adelaide and Canberra.
"At this stage, it doesn't appear that any information, which included customer details and a small number of payment card details, has been used fraudulently or further disseminated, but our inquiries are ongoing," Detective Superintendent Arthur Katsogiannis said in a statement.
CEO Tristan Sender said they did not notify affected customers sooner based on the "strong advice" of NSW police that alerting individuals could "jeopardise their investigation and potentially lead to the suspect disseminating the information."
Customers have been advised to monitor their credit reports and payment card statements for any unusual or unauthorised activity. GoGet also said users can opt for an annual free credit report and listed three agencies including Equifax.
The Office of the Australian Information Commissioner has also been notified of the breach.
The disclosure happens to come a month before a new data breach notification law takes effect on 22 February mandating government agencies and companies to inform the public of a data breach "as soon as practicable" or risk facing penalties.
"We are sorry that this has happened," Sender said. "We take privacy very seriously and have been working hard to get the best possible outcome from this police investigation.
"GoGet's number one focus has been to protect its members and any affected individuals and retrieve information potentially accessed by the suspect to prevent any misuse of that information," the company said. "On this basis, GoGet took the view that the best way to secure the information accessed by the suspect was to bring the perpetrator to justice."