GoGet promo image

Australian police have arrested a 37-year-old man on accusations of hacking GoGet, a car-sharing service.

Police say the man hacked the company last year in May and used access to the company's servers to gain free access to the company's fleet of cars, but also downloaded data on the company's customers from its database.

GoGet only now notifying customers

GoGet acknowledged the hack in a statement posted on its site. The company said it discovered the incident on June 27, last year, and immediately notified police.

Despite the common practice of notifying users in the event of a breach, the company said it did not alert users that a hacker downloaded their data off its servers at "the strong advice of NSW Police."

GoGet says NSW Police felt that notifying affected individuals could jeopardize the investigation and force the hacker to disseminate the information online.

Hacker focused on accessing GoGet cars for free

GoGet is a car-sharing service that has various types of vehicles spread across a city. Customers are supposed to create a GoGet online account and buy a GoGet smartcard. They pay for cars using the online account, and they use the smartcard to access GoGet cars left across the city.

The company said the hacker was mostly interested in using its car fleet for free. Police said they found evidence the hacker accessed vehicles without consent on more than 30 occasions between May and July 2017, when the company secured its servers and cut off the hacker's access.

Police haven't released the man's name. The 37-year-old is a resident of Penrose, in Illawarra, a region in the Australian state of New South Wales. Officers arrested the man on Tuesday, January 30, at his home.

Stolen information varies from user to user

According to GoGet, the information the hacker downloaded varies based on what users had stored in their accounts. This can be the customer's name, address, email address, phone number, date of birth, driver license details, employer, emergency contact name and phone number, and GoGet administrative account details.

Both police and GoGet said the hacker doesn't appear to have downloaded password or credit card details.

"We have recently written to a number of our members notifying them that they need to update their password. This change was unrelated to this incident and was part of an overall security improvement adopted by GoGet," the company said.

Police investigating malware that collected card data

In addition, police officers found malware on GoGet's server that was meant to collect payment card details for users entering or updating payment card details on their GoGet account.

The malicious code was active between May 25, 2017, and July 27, 2017. NSW Police are investigating whether the suspect was responsible for installing this malware on GoGet's server.

Image credits: GoGet