Police arrest alleged hacker behind GoGet data breach

The hack resulted in the compromise of GoGet members' data

A 37-year-old man from the Illawarra region in NSW has been charged for allegedly hacking into the database of Australian car sharing start-up, GoGet.

GoGet emailed current and former members on 31 January notifying them of an incident that involved unauthorised activity on its systems, and that customer data had been compromised as a result of the hack.

“On 27 June 2017, GoGet’s IT team identified suspected unauthorised activity on its system and a full internal investigation was immediately commenced,” the company said. “GoGet quickly reported the incident to the NSW Police’s Cybercrime Squad and has since worked closely with NSW Police which has culminated in the arrest of a suspect – an unusual and welcome outcome in a case like this.

“Although the investigation by NSW Police is ongoing, it appears that the suspect was accessing GoGet’s systems in an attempt to use GoGet vehicles without permission.

“In the process, as part of his overall activity on the system, it also appears that the suspect has accessed personal information of GoGet’s members and individuals who have previously attempted to create a GoGet account,” the company said.

GoGet stressed that payment card details that may have been provided by customer were not affected by the incident.

“Also, based on advice from the NSW Police Cybercrime Squad, at this time there is no evidence of misuse of, or that the suspect has disseminated any of, your personal information,” GoGet said.

The NSW Police said on 31 January that detectives from the Cybercrime Squad have since charged a 37-year-old man from Illawarra, on the NSW South Coast, who “allegedly gained unauthorised access to a company’s database and stole cars”.

The man, who has been refused bail, is set to appear at Wollongong Local Court on 31 January. The man has been charged with two counts of unauthorised access, modification, or impairment with intent to commit serious indictable offence; and 33 counts of take and drive conveyance without consent of owner.

The Police said that detectives from the State Crime Command’s Cybercrime Squad established Strike Force Artsy to investigate unauthorised access to the administrative section of GoGet’s website in July last year.

Investigators subsequently identified that unauthorised access was gained into the company’s fleet booking system and customer identification information from the database was downloaded.

Police will allege in court that the information obtained by the suspected hacker was used to access vehicles without consent on more than 30 occasions between May and July 2017.

Strike Force Artsy detectives, assisted by the Public Order and Riot Squad, executed a search warrant at a home at Penrose on 30 January 2018.

During the search, investigators seized computers, laptops, and electronic storage devices.

According to Cybercrime Squad Commander, Detective Superintendent Arthur Katsogiannis, the investigation is continuing.

“At this stage, it doesn’t appear that any information, which included customer details and a small number of payment card details, has been used fraudulently or further disseminated, but our inquiries are ongoing,” Katsogiannis said.

GoGet has set up a dedicated webpage to provide further information about the incident and subsequent data breach. 

“We are sorry that this has happened. We take your privacy very seriously and have been working hard to get the best outcome from this police investigation,” the company said.