Australian Car-sharing company GoGet was hacked by a person who had previously advised it of security flaws that could make it vulnerable to attack.

Nik Cubrilovic, 37, from Penrose in the Southern Highlands, was the holder of a legitimate GoGet account in mid-2016 when he sent the online company a series of emails advising them he had identified vulnerabilities in their operating systems.

Police allege Cubrilovic used his hacking skills a year later to access GoGet’s customer database when his girlfriend’s account was suspended.

It is alleged he create 33 bookings on five different vehicles, including an Audi A3 Convertible, over a two-month period, each time charging the vehicle hire fee to a stranger’s account. The total cost of the fraud was $3,423, police said.

In an email alerting customers to the breach on Wednesday 31 January, GoGet chief executive Tristan Sender members’ personal information was accessed as part of the hacking activity.

However, it’s not believed at this stage that the information was disseminated, nor that Mr Cubrilovic had any intention to use it beyond getting himself free rides.

“We are sorry that this has happened,” Mr Sender said in the statement, also explaining that the breach was not initially disclosed to customers at the request of NSW Police.

“We take your privacy very seriously and have been working hard to get the best outcome from this police investigation.”

A web page has been set up for affected customers to access support.

GadgetGuy’s take

Any data breach, especially those involving personal details potentially including drivers license number, date of birth, address and credit card details is serious.

That Cubrilovic advised GoGet of flaws and then exploited them for personal gain shows GoGet was not as quick of the mark as its cars are and there is no excuse for shoddy security.

Mark Gorrie, Territory Manager, Norton Business Unit at Symantec provided some sage advice.

Key points and tips to keep safe:

  • Ridesharing companies can share data with third parties. Not everyone knows this!
  • Before you download these types of apps, it is important to examine the privacy policy of each app. The information you find should be clear about the company’s intent to use your data
  • The world has changed because the paradigm has shifted from bank robberies to data breaches, simply because all our personal info can be easily accessed in one place from companies that store that data
  • Until all ridesharing companies are held accountable for how they collect, store, and protect our data, responsibility ultimately falls to consumers to be aware of the companies they conduct business with and to be diligent, educated, and aware of how their data is handled when using services and apps.