Car-sharing service GoGet has revealed it was a victim of a security breach in late June 2017, eight months before new data breach disclosure laws are due to come into effect nationwide.
The company said this week that it had identified a breach in its security systems from an unauthorised hacker in June last year, and immediately launched an internal investigation.
The New South Wales Police Cybercrime Squad was also notified, as it is believed the suspected hacker was attempted to access the company’s fleet booking system to use its cars without permission.
NSW Police have since said a suspect has been taken into custody and charged with two counts of unauthorised access, modification, or impairment with intent to commit serious indictable offence, and 33 counts of take and drive conveyance without consent of owner.
The data accessed by the suspected hacker may include whatever information GoGet customers provided upon signing up to the service, including their name, address, email address, phone number, date of birth, driver licence details, employer, emergency contact name and phone number.
GoGet said it has emailed all customers affected by the breach to let them know if their personal information or payment card details have been accessed, however, the company said “there’s no evidence that the suspect has disseminated any of the personal information or payment card details of affected individuals”.
“This has and will continue to be monitored closely by the NSW Police as part of its investigation,” the company said.
Despite the breach occurring seven months ago, GoGet said it was advised by NSW Police not tell customers or else the investigation could be jeopardised.
GoGet emailed me a whole 7 months after they were hacked to say a bunch of my personal info was compromised. Absolutely useless company. pic.twitter.com/VdAvyHvAaU
— Tom Joyner (@tomrjoyner) January 30, 2018
The car-sharing service said it has now brought in external cybersecurity experts to assess how improvements can be made to its security infrastructure, and customers have also been advised to review their credit ratings for any discrepancies or unusual activity.
Nationwide mandate to disclose data breaches
This security breach comes just weeks before a nationwide requirement for businesses turning over $3 million a year to disclose any security breaches to their customers comes into effect on February 22.
According to the legislation, companies will have 30 days to inform their customers if disclosure of data from a hacker or other unauthorised source “would be likely to result in serious harm to any of the individuals to whom the information relates”.
Failure to disclose a breach under the new regulations could see companies hit with fines of up to $1.8 million, while individuals could be fined up to $360,000.
GoGet was not legally required to disclose its breach to customers, however, cybersecurity consultant Nick Ellsmore says the company made a step in the right direction.
‘The fact they made the breach public is a positive step. The thing going to scare most organisations is if someone goes public before you do, that can be very damaging,” he says.
Over the first six to 18 months of the new disclosure rules being in play, Ellsmore says the first cases of data disclosure will set precedents for how the Office of the Australian Information Commissioner (OAIC) assesses future cases.
“The Privacy Act is written in poor terms. It uses the term ‘reasonable steps’ [to deal with assessing breaches], and ultimately OAIC issues guidance and other interpretations to help people understand what those what steps are,” he says.
“I think in time it will all become a lot clearer, particular when the first couple of organisations choose not to disclose and they get hauled over for not making an incorrect assessment.”
Due to the broad language written into the mandatory disclosure legislation, Ellsmore fears companies may take advantage of the room for interpretation by seeking out agencies who will argue on the side of the company wishing not to disclose their breach.
“The whole structure isn’t in place yet, but you can imagine a situation in which an organisation doesn’t want to disclose and they could effectively consult security firms until they found someone who says, ‘no I don’t think there is any case of serious harm’.”