GoGet reveals customer data hack in mid-2017, ahead of mandatory disclosure laws coming into effect

cars on freeway

Car-sharing service GoGet has revealed it was a victim of a security breach in late June 2017, eight months before new data breach disclosure laws are due to come into effect nationwide.

The company said this week that it had identified a breach in its security systems from an unauthorised hacker in June last year, and immediately launched an internal investigation.

The New South Wales Police Cybercrime Squad was also notified, as it is believed the suspected hacker was attempted to access the company’s fleet booking system to use its cars without permission.

NSW Police have since said a suspect has been taken into custody and charged with two counts of unauthorised access, modification, or impairment with intent to commit serious indictable offence, and 33 counts of take and drive conveyance without consent of owner.

The data accessed by the suspected hacker may include whatever information GoGet customers provided upon signing up to the service, including their name, address, email address, phone number, date of birth, driver licence details, employer, emergency contact name and phone number.

GoGet said it has emailed all customers affected by the breach to let them know if their personal information or payment card details have been accessed, however, the company said “there’s no evidence that the suspect has disseminated any of the personal information or payment card details of affected individuals”.

“This has and will continue to be monitored closely by the NSW Police as part of its investigation,” the company said.

Despite the breach occurring seven months ago, GoGet said it was advised by NSW Police not tell customers or else the investigation could be jeopardised.

The car-sharing service said it has now brought in external cybersecurity experts to assess how improvements can be made to its security infrastructure, and customers have also been advised to review their credit ratings for any discrepancies or unusual activity.

Nationwide mandate to disclose data breaches

This security breach comes just weeks before a nationwide requirement for businesses turning over $3 million a year to disclose any security breaches to their customers comes into effect on February 22.

According to the legislation, companies will have 30 days to inform their customers if disclosure of data from a hacker or other unauthorised source “would be likely to result in serious harm to any of the individuals to whom the information relates”.

Failure to disclose a breach under the new regulations could see companies hit with fines of up to $1.8 million, while individuals could be fined up to $360,000.

GoGet was not legally required to disclose its breach to customers, however, cybersecurity consultant Nick Ellsmore says the company made a step in the right direction.

‘The fact they made the breach public is a positive step. The thing going to scare most organisations is if someone goes public before you do, that can be very damaging,” he says.

Over the first six to 18 months of the new disclosure rules being in play, Ellsmore says the first cases of data disclosure will set precedents for how the Office of the Australian Information Commissioner (OAIC) assesses future cases.

“The Privacy Act is written in poor terms. It uses the term ‘reasonable steps’ [to deal with assessing breaches], and ultimately OAIC issues guidance and other interpretations to help people understand what those what steps are,” he says. 

“I think in time it will all become a lot clearer, particular when the first couple of organisations choose not to disclose and they get hauled over for not making an incorrect assessment.”

Due to the broad language written into the mandatory disclosure legislation, Ellsmore fears companies may take advantage of the room for interpretation by seeking out agencies who will argue on the side of the company wishing not to disclose their breach.

“The whole structure isn’t in place yet, but you can imagine a situation in which an organisation doesn’t want to disclose and they could effectively consult security firms until they found someone who says, ‘no I don’t think there is any case of serious harm’.”

Never miss a story: sign up to SmartCompany’s free daily newsletter and find our best stories on TwitterFacebookLinkedIn and Instagram.


Notify of
1 Comment
Newest Most Voted
Inline Feedbacks
View all comments
3 years ago

wow, another piece of legislation open to interpretation… It should be mandatory that ANY business that retains ANY customer information ALWAYS must inform those customers of ANY security breach of their system where customer’s data was or MIGHT have been accessible. If a local video shop stores customer identity and payment information on their computer and it is hacked, they should have to tell those customers. It shouldn’t be a matter of scale – this should be an opportunity to hammer home that customer information is PRIVATE and needs to be SECURE. No matter what. Get real.

The only allowance for size of business should be increasing FINES if a business is over $1 million AND the requirement that any breach in systems of a business (or related group of businesses) with an aggregate turnover in excess of $1 million should not only have to disclose to their customers but should ALSO have to disclose to the public by advertising the breach on a government web site – could be placed on the existing Product Recalls site, for example. Everyone should be able to be made aware of which companies are experiencing breaches and the magnitude of those breaches. It will assist them in making future decisions about which companies and organisations they wish to buy from, trade with or donate to.

This should have the desired effect of making sure every business lifts its game when it comes to security.