Security consultant granted bail after 'hacking' GoGet systems

The self-proclaimed hacker has been denied access to the internet by a NSW court as a condition of his bail, after being accused of accessing the car-sharing company's systems.
Written by Asha Barbaschow, Contributor
Image: GoGet

A New South Wales court has granted bail to the 37-year-old man accused of accessing the systems of car-sharing service GoGet, after the company went public with the breach Wednesday morning.

Entrepreneur and self-proclaimed hacker Nik Cubrilovic was arrested on Tuesday and charged on the spot by NSW Police on two counts of unauthorised access, modification, or impairment with intent to commit serious indictable offence; and 33 counts of take and drive conveyance without consent of owner for allegedly breaching GoGet's systems.

He was charged with the accusations in court.

It was alleged in court the information obtained by Cubrilovic was used to access vehicles without consent on more than 30 occasions between May and July 2017.

He appeared in Wollongong Local Court on Wednesday and was granted bail on conditions including that he has no internet access, reports daily to police, and surrenders his passport.

Waiting seven months to declare the breach at the "strong advice" of state police, GoGet went public about the incident and apologised to customers in an email on Wednesday morning.

Cubrilovic is accused of accessing the company's fleet booking system and downloading customer identification information including name, address, email address, phone number, date of birth, driver licence details, employer, emergency contact name and phone number, and GoGet administrative account details.

He allegedly stole and returned the 33 vehicles between May and June 2017.

In a tweet from Cubrilovic dating back to May 30, 2016, the accused proclaims that he "just booked a GoGet for the weekend", praising the service in another post.

GoGet's IT team identified suspected unauthorised activity on its system on June 27, 2017, and immediately conducted a full internal investigation. At the same time, it reached out to police.

Strike Force Artsy detectives, assisted by the Public Order and Riot Squad, executed a search warrant at a home at Penrose in NSW just after 8am Tuesday, during which investigators seized computers, laptops, and electronic storage devices.

Detective Superintendent Arthur Katsogiannis said customer details were not on-sold or disseminated.

"What's happened here is you've got a company that was proactive, on the front foot, came forward, and reported the matter," Det Supt Katsogiannis said.

Police said they monitored the company's database during the investigation and would have notified any individual if they believed they were at risk.

Police are still searching through seized computers and storage devices and trying to establish the number of customers affected by the breach.

Cubrilovic became prominent in the security community in 2011 after he exposed a Facebook privacy flaw which meant the social media giant was tracking web-browsing activity even after users logged out.

He also founded online storage startup Omnidrive in mid-2004.

Cubrilovic is scheduled to appear in Downing Centre Local Court in Sydney on April 24, 2018.

With AAP


GoGet fleet booking system accessed, alleged attacker charged

A man has been charged after allegedly stealing the personal information such as name, address, and driver licence details, from the car-sharing company's database.

Notifiable Data Breaches scheme: Getting ready to disclose a data breach in Australia

Australia's Notifiable Data Breaches scheme will come into force next month. Here is what it means and how it will affect organisations, and individuals, in Australia.

Privacy Commissioner finds Australia more confident in reporting breaches to police

The Office of the Australian Information Commissioner has found that only a handful of surveyed respondents would actively report the misuse of information to a state or federal Privacy Commissioner.

OAIC received 114 voluntary data breach notifications in 2016-17

The office led by Information and Privacy Commissioner Timothy Pilgrim received 114 voluntary data breach notifications, 35 mandatory digital health data notifications, and 2,494 privacy-related complaints during the 12-month period.

Editorial standards