NSW Police have arrested a suspect who allegedly gained unauthorised access to Australian ride sharing company GoGet's fleet booking system and customer information.
The breach occurred in June last year, in which the suspect gained access to 30 GoGet vehicles without permission between May and July 2017.
GoGet said it couldn't notify customers about the breach until this morning on advice from the NSW Police Cybercrime Squad, who said making the breach public could jeopardise the ongoing investigation.
The company said it appeared the suspect accessed the personal info of customers who created an account before 27 July, including names, addresses, email addresses, phone numbers, dates of birth, driver licence details, employers, emergency contact names and phone numbers, and GoGet administrative account details.
NSW Police said there was no evidence to suggest that the suspect disseminated any of the personal information. The Cybercrime Squad are also continuing to investigate whether the suspect installed software on GoGet's system to access payment information that was held by a third party.
GoGet has since contacted affected customers about the breach and advised them to continue to monitor their bank accounts for any suspicious activity.
The company said it had commissioned a "comprehensive review" of its systems and processes and already made a number of improvements. GoGet didn't specify how the breach occurred or what improvements had been made, however.
"We are sorry that this has happened. We take your privacy very seriously and have been working hard to get the best outcome from this police investigation," said GoGet chief executive Tristan Sender.
A 37-year-old Illawarra man was arrested this morning in relation to the breach. He was subsequently charged with two counts of unauthorised access, modification or impairment with intent to commit serious indictable offence, and 33 counts of take and drive conveyance without consent of owner.
The suspect will face the Wollongong local court today.
Cybercrime Squad commander detective superintendent Arthur Katsogiannis praised GoGet's cooperation and initiative to report the breach to police early.
“I cannot emphasise enough how important the company’s early report and collaborative approach were to the success of the investigation," he said.
“By combining the tools, expertise, and investigative capability of NSW Police Force investigators with industry experts and professionals we can have a real impact on cybercrime now and into the future.”
The Australian government passed new laws in February last year that will require businesses and government agencies to notify the Privacy Commissioner and customers of any data breaches. The new laws come into effect on 22 February.