Unauthorised activity and arrest of suspect
FAQs for affected individuals
31 January 2018
A statement from GoGet’s CEO
To our valued members past and present, and other individuals affected by this incident.
We wish to notify you of an incident that has involved unauthorised activity on our system.
On 27 June 2017, GoGet’s IT team identified suspected unauthorised activity on its system and a full internal investigation was immediately commenced. GoGet quickly reported the incident to the NSW Police’s Cybercrime Squad and has since worked closely with NSW Police which has culminated in the arrest of a suspect —an unusual and welcome outcome in a case like this.
Although the investigation by NSW Police is ongoing, it appears that the suspect was accessing GoGet’s systems in an attempt to use GoGet vehicles without permission. In the process, as part of his overall activity on the system, it also appears that the suspect has accessed personal information of GoGet’s members and individuals who have previously attempted to create a GoGet account.
Based on advice from the NSW Police Cybercrime Squad, at this time there is no evidence that the suspect has disseminated any of the personal information of affected individuals.
We commend the NSW Police Cybercrime Squad on making an arrest following a thorough and extensive investigation, and are pleased the suspect will now face the criminal justice system.
This dedicated webpage has been established to provide further information.
We are sorry that this has happened. We take your privacy very seriously and have been working hard to get the best outcome from this police investigation. To read the NSW Police statement regarding this investigation please click here.
We thank you for your ongoing support of GoGet.
Frequently Asked Questions
Have I been affected?
If you are a GoGet member, a past member or have attempted to sign up to our service, you may have been affected. GoGet has reached out to all affected individuals to inform them of this incident and specifically how it relates to them. We can also confirm that any individual who signed up to our service after 27 July 2017 has not been affected by this incident.
What information has been accessed?
GoGet has emailed all individuals affected by this incident to confirm whether their personal information and/or payment card details have been accessed.
The personal information accessed by the suspect depends on what information was provided to GoGet by the individual when they became, or attempted to become, a member. This includes: name, address, email address, phone number, date of birth, driver licence details, employer, emergency contact name and phone number, and GoGet administrative account details.
NSW Police are also investigating whether the suspect was responsible for installing software onto GoGet’s systems to access payment card details of a small group of individuals when they signed up to the service through GoGet’s website or updated their payment card details. GoGet does not store payment card details on its system but integrates with an external, third-party payment gateway service. Only individuals who signed up to our service or updated their payment card details between the dates of 25 May 2017 and 27 July 2017 may have had their payment card details accessed.
Based on advice from the NSW Police Cybercrime Squad, at this time there is no evidence that the suspect has disseminated any of the personal information or payment card details of affected individuals. This has and will continue to be monitored closely by the NSW Police as part of its investigation.
Why didn’t you tell affected individuals sooner?
The strong advice of NSW Police was that notifying affected individuals sooner could jeopardise their investigation and potentially lead to the suspect disseminating the information. GoGet’s number one focus has been to protect its members and any affected individuals and retrieve information potentially accessed by the suspect to prevent any misuse of that information. On this basis, GoGet took the view that the best way to secure the information accessed by the suspect was to bring the perpetrator to justice.
What steps has GoGet taken to improve security?
As soon as GoGet became aware of the system intrusion a comprehensive review of its systems and processes was commissioned. External cybersecurity experts have assessed the integrity of our systems leading to a number of improvements being made which are intended to reduce the risk of future incidents.
What action do affected individuals need to take?
While at this time there is no evidence that information has been disseminated, out of an abundance of caution we have outlined below a range of steps that individuals affected by this incident can take to maximise the ongoing security of their information:
- Review and continue to monitor your credit report for any discrepancies or unusual activity. You can apply for an annual free credit report from each of the three national consumer Credit Reporting Agencies (Equifax, Dun & Bradstreet, and Experian) or if you have ever held credit in Tasmania, from the Tasmanian Collection Service. If you notice any discrepancies or unusual activity on your credit report, you can request that a ban be put in place while you investigate further. Relevant contact details are below:
Credit Reporting Agency
Dun & Bradstreet
Tasmanian Collection Service
- Review and continue to monitor your financial and payment card account statements for any discrepancies or unusual activity. Contact your financial institution if you have any concerns.
- Currently there is no indication that you should cancel or replace your drivers licence. Contact your driver licensing authority if you have any concerns
- Remain vigilant to phishing scams and only respond to legitimate GoGet communications. More information about phishing scams is available on the ACCC’s website.
You can find additional guidance about protecting your identity by visiting the Office of the Australian Information Commissioner’s website, as well as the Attorney-General’s Department website.
Do I need to change my GoGet account password?
No. You do not need to change your GoGet account password. We have recently written to a number of our members notifying them that they need to update their password. This change was unrelated to this incident and was part of an overall security improvement adopted by GoGet.
Has GoGet notified the Office of the Australian Information Commissioner?
Yes. GoGet has contacted the Office of the Australian Information Commissioner about this incident and will be working cooperatively with that Office in respect of this incident.
What else can you share about this incident?
This appears to be the illegal act of one individual based in NSW. Given the ongoing NSW Police investigation, GoGet is limited in what it can say about the specific methods used by the suspect to gain unauthorised access to GoGet’s systems and vehicles.
Who do I contact for more information?
We understand that affected individuals may have further questions about this incident. We have established this dedicated FAQ webpage and will be updating it if, and when, any new information becomes available. We have also established a dedicated email mailbox (firstname.lastname@example.org) and hotline (1800 557 394) in case affected individuals have specific questions.
For any media inquiries, please email email@example.com.