Cyber Incident Victim: GoGet
Date:
May 2017
Location:
Australia
Summary
A car-sharing service experienced unauthorized system access where an attacker compromised customer data including names, addresses, contact details, driver's licenses, employers, emergency contacts, and administrative account information. The breach also involved malware potentially capturing payment card details for users who signed up or updated billing information during the incident period. Law enforcement arrested an individual linked to the intrusion, who allegedly exploited stolen credentials to unlawfully access vehicles. The company delayed public notification based on police guidance to prevent investigation interference and further data dissemination. Approximately 90,000 customers were affected, with no confirmed fraudulent misuse of the exposed information at the time of disclosure. Authorities investigated whether payment card data from a limited group was exfiltrated via the malware, though the firm stated it does not store payment details directly. The incident was reported to cybersecurity regulators and affected individuals were advised to monitor financial accounts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Unauthorized activity on GoGet's systems was detected by its IT team on June 27, 2017, prompting an immediate internal investigation. The breach was later determined to have occurred between May and July 2017, during which an attacker illegally accessed the company's database on two separate occasions. Compromised data included customer names, addresses, email addresses, phone numbers, dates of birth, driver's license details, employers, emergency contact information, and GoGet administrative account credentials. The perpetrator used stolen credentials to unlawfully access vehicles on at least 33 occasions without authorization. New South Wales Police Cybercrime Squad investigators discovered the suspect allegedly installed malware targeting payment card details of customers who signed up for the service or updated their payment information between May 25 and July 27, 2017, though GoGet clarified it doesn't store payment data directly, relying instead on a third-party gateway.
The incident was reported to law enforcement, culminating in the arrest of a 37-year-old Illawarra man on January 30, 2025, following a raid by Strike Force Artsy detectives and the Public Order and Riot Squad. Authorities seized computers, laptops, and storage devices during the arrest. The suspect faced two charges of unauthorized system access with intent to commit serious indictable offenses and 33 counts of vehicle theft. GoGet delayed customer notification for seven months based on explicit police advice that early disclosure might compromise the investigation and risk data dissemination. Affected customers were advised on January 31, 2025, to monitor payment statements and credit reports, with offers for free annual credit checks through Equifax and other agencies. The Office of the Australian Information Commissioner was formally notified, and the disclosure occurred one month before Australia's mandatory data breach notification law took effect in February 2025. Forensic analysis found no evidence of fraudulent data use or widespread dissemination at the time of disclosure.