Australia's largest car-sharing service GoGet has revealed that its systems were compromised in June last year, with a man scabbing more than 30 free rides using the service.
The company, which has 90,000 members and 2,300 cars across Sydney, Melbourne, Brisbane, Canberra and Adelaide, emailed all customers on Wednesday morning to say that in June last year the company's IT team became aware that there was unauthorised activity on its system.
CEO Tristan Sender told customers that NSW Police was informed, and told GoGet not to notify customers while the investigation was underway.
Sender said that the alleged hacker, a 37-year-old Illawarra man who has since been arrested, appeared to be attempting to get into GoGet's systems in order to access cars without permission (GoGet's service operates by a smart card system that allows drivers into the vehicle with their own card). But in the course of doing that, Sender said, the personal information of some GoGet members was accessed.
Those who had their information accessed have been emailed individually by GoGet, the company said. The information accessed included names, addresses, phone numbers, dates of birth, drivers' licence details, employers, emergency contact names and numbers, and GoGet's administrative account details.
Additionally, GoGet said NSW Police is investigating whether the attacker installed software to gain access to credit card information for customers who signed up from May 25 to June 27, 2017.
"Based on advice from the NSW Police Cybercrime Squad, at this time there is no evidence that the suspect has disseminated any of the personal information or payment card details of affected individuals," GoGet said. "This has and will continue to be monitored closely by the NSW Police as part of its investigation."
The company said it waited over six months before informing customers because NSW Police was concerned that informing the public would jeopardise the investigation.
NSW Police said in a statement that the hacker allegedly gained access to GoGet's booking system, and gained access to GoGet cars more than 30 times from May to July 2017.
The man has been charged with two counts of unauthorised access, modification, or impairment with intent to commit serious indictable offences; and 33 counts of driving a car without the owner's consent.
He will appear in Wollongong Local Court later today.
NSW Cyber Squad commander, detective superintendent Arthur Katsogiannis, said that the company did the right thing in reporting early to the police.
"It is important to acknowledge the proactive approach taken by this company; not only was the incident swiftly identified and reported to police, they were also diligent in their assistance to detectives," he said in a statement.
“I cannot emphasise enough how important the company’s early report and collaborative approach were to the success of the investigation."
In a press conference, Katsogiannis said that in some cases the hacker is not attempting to gain from the act, but to showe they can do it.
"What you've got to realise with some of these individuals, it's not always about getting benefit. It's about proving they can do something and enhancing their reputation online in that particular way."
He said that GoGet was keen to inform customers, but that it was important for the police to do its work first.
"We were unsure as to whether anyone else was working with the particular individual, or whether any customers were involved with this particular breach," he said.
The Office of the Australian Information Commissioner has also been informed, the company said.
The revelation comes just under a month before the new mandatory data breach notification law comes into effect on February 22. This will require companies and government agencies to inform the public of a data breach "as soon as practicable" or face penalties.