Car-sharing service GoGet has issued a statement on Wednesday alerting customers to unauthorised activity on its system that has culminated with the arrest of the alleged perpetrator.
On June 27, 2017, GoGet said its IT team identified suspected unauthorised activity on its system and immediately conducted a full internal investigation.
At the same time, GoGet reported the incident to the New South Wales Police Cybercrime Squad, who on Wednesday confirmed it had charged a 37-year-old Illawarra man who allegedly gained unauthorised access to the company's database and also stole cars.
"With the assistance of company staff, investigators identified that unauthorised access was gained into the company's fleet booking system and customer identification information from the database was downloaded," NSW Police said in a statement.
It will be alleged in court the information obtained by the man was used to access vehicles without consent on more than 30 occasions between May and July 2017.
Strike Force Artsy detectives, assisted by the Public Order and Riot Squad, executed a search warrant at a home at Penrose in NSW just after 8am Tuesday, during which investigators seized computers, laptops, and electronic storage devices.
The alleged person was arrested on the spot and charged with two counts of unauthorised access, modification, or impairment with intent to commit serious indictable offence; and 33 counts of take and drive conveyance without consent of owner.
"Based on advice from the NSW Police Cybercrime Squad, at this time there is no evidence that the suspect has disseminated any of the personal information of affected individuals," GoGet CEO Tristan Sender said in a statement.
"We are sorry that this has happened. We take your privacy very seriously and have been working hard to get the best outcome from this police investigation."
GoGet members, as well as past members or those that have attempted to sign up to the service in the past, may have been affected. The company said it has reached out to all affected individuals to inform them of how the incident specifically relates to them.
However, any individual that signed up to GoGet after July 27, 2017 has not been affected.
The compromised information includes name, address, email address, phone number, date of birth, driver licence details, employer, emergency contact name and phone number, and GoGet administrative account details, the company confirmed.
NSW Police are also investigating whether the suspect was responsible for installing software onto GoGet's systems to access payment card details of a small group of individuals when they signed up to the service through GoGet's website or updated their payment card details.
GoGet confirmed it does not store payment card details on its system but integrates with an external, third-party payment gateway service.
Only individuals who signed up to the service or updated their payment card details between the dates of May 25, 2017 and July 27, 2017 may have had their payment card details accessed.
GoGet said the police told them not to notify individuals before Wednesday as it would potentially jeopardise their investigation and may also result in the suspect disseminating the information.
GoGet has also contacted the Office of the Australian Information Commissioner about the incident and said it will be working cooperatively on its investigation into the matter.
PREVIOUS AND RELATED COVERAGE
Notifiable Data Breaches scheme: Getting ready to disclose a data breach in Australia
Australia's Notifiable Data Breaches scheme will come into force next month. Here is what it means and how it will affect organisations, and individuals, in Australia.
Privacy Commissioner finds Australia more confident in reporting breaches to police
The Office of the Australian Information Commissioner has found that only a handful of surveyed respondents would actively report the misuse of information to a state or federal Privacy Commissioner.
OAIC received 114 voluntary data breach notifications in 2016-17
The office led by Information and Privacy Commissioner Timothy Pilgrim received 114 voluntary data breach notifications, 35 mandatory digital health data notifications, and 2,494 privacy-related complaints during the 12-month period.
Secret F-35, P-8, C-130 data stolen in Australian defence contractor hack
Around 30 gigabytes of ITAR-restricted aerospace and commercial data was exfiltrated by an unknown malicious actor during the months-long 'Alf's Mystery Happy Fun Time' attack.