Australian car sharing company GoGet today admitted to a June 2017 data breach that includes drivers licence details, payment card numbers and other personal data, but said it did not disclose the matter until now on the advice of Police.
In an email sent to members today (and The Register, thanks to kind readers) plus a breach notification and FAQ the company said “On 27 June 2017, GoGet’s IT team identified suspected unauthorised activity on its system and a full internal investigation was immediately commenced.”
Police from the Australian State of New South Wales were called not long afterwards and the force says it established “Strike Force Artsy” probe the matter in July 2017.
Australian car-share biz GoGet working on autonomous vehicleREAD MORE
“”With the assistance of company staff, investigators identified that unauthorised access was gained into the company’s fleet booking system and customer identification information from the database was downloaded,” the NSW Police statement says. “Following extensive inquiries, Strike Force Artsy detectives, assisted by the Public Order and Riot Squad, executed a search warrant at a home at Penrose just after 8am yesterday (Tuesday 30 January 2018).
“A 37-year-old man was arrested at the home and taken to Lake Illawarra Police Station, where he was charged with two counts of unauthorised access, modification, or impairment with intent to commit serious indictable offence; and 33 counts of take and drive conveyance without consent of owner.”
The NSW Police statement says it’s found more than 30 attempts to access GoGet’s database.
GoGet's statement said the company "is limited in what it can say about the specific methods used by the suspect to gain unauthorised access to GoGet’s systems and vehicles.
The company added that the breach only impacts “individuals who signed up to our service or updated their payment card details between the dates of 25 May 2017 and 27 July 2017 may have had their payment card details accessed.”
Other data accessed included names, addresses, email addresses, phone numbers, dates of birth, drivers licence details and “other GoGet administrative account details.”
While payment card details “were not affected by this incident”, the loss of licence data means the potential for identity theft or fraud is high. Happily, GoGet and NSW Police cannot find “evidence of misuse of, or that the suspect has disseminated any of, your personal information.”
“We are sorry that this has happened,” GoGet CEO Tristan Sender signs off in the email. “We take your privacy very seriously and have been working hard to get the best outcome from this police investigation.”
GoGet’s offered “a range of steps individuals can take to maximise the ongoing security of their information.” One of those is to consult Equifax, the credit bureau that itself suffered a massive data breach in 2017.
Sigh. It never ends. ®