back to article Car-share biz GoGet became data share biz after 2017 hack attack

Australian car sharing company GoGet today admitted to a June 2017 data breach that includes drivers licence details, payment card numbers and other personal data, but said it did not disclose the matter until now on the advice of Police. In an email sent to members today (and The Register, thanks to kind readers) plus a …

  1. Anonymous Coward
    Anonymous Coward

    Sack the CEO, CIO... and fine them all.

    How can the privacy commissioner be happy that standard procedure following a breach in his jurisdiction, is to recommend affected customers visit a 3rd party that has made exactly the same mistake but on an even larger scale. And may well do the same in future.

    Not to mention recommending that customers visit three other third parties, all of whom REQUIRE even more personal information than GoGet collected, just to 'identify' the victim.

    Worse, D&B even insist on being sent actual copies of your government issued IDs; not just the ID numbers, before running a rudimentary check.

    How can the solution be to extract even more valuable PII from the victim and store it inside more computer systems that will be (at some point) vulnerable to compromise (or probably are, right now)?

    Until someone actually bites the buffoons that fail to secure their systems, it will only get worse. The police are no deterrent, especially when the majority of hackers reside in practically untouchable locations. And the commissioner has no teeth; the law has no practical effect; the gov never acts to protect anyone other than themselves. Until people actually insist on being able to sue in such situations, this will get worse.

    And being able to sue is only the start... from a regulatory point of view, the protection of PII needs to be the priority, not its (ab)use. No major party will lift a finger because doing so upsets the spooks, the tax office and everyone else keen to record everything anyone does.

  2. Anonymous Coward
    Anonymous Coward

    Until Australia does something about the abuse of data...

    Nothing will change.

    The best solution to date is the GDPR in Europe: Specific enough to help the clueless closer to compliance, and get some of the abusers to Court.

    The problem is, it stops your people's data being mined (or rather, raped and pillaged) like any other resource. And the pillaging of resources is what Australia has shown itself to be best at in the last 200 years- or at least, since the forests and indigenous people were cleared away.

  3. Anonymous Coward
    Anonymous Coward

    What should I do?

    At some point their dumb website insisted I upload a scanned copy of my driver's license. I visited their office to show them in person instead. It was clearly the first time anyone had done this.

    A lot of online entities want a digital copy submitted online now. No-one can tell the fools in command that doing this is a blatant abuse of customer privacy. I know for a fact that many think they are 'just marketers, or business managers, and they can't be expected to understand the most basic principles of data protection, let alone the risks or impacts. Their KPIs never include customer privacy either.

    Given that someone local got in there (and was caught), the chances are everything of value has been available to others- or on the dark web, for some time already. But we'll never know as the forensic investigation is being handled by 'cybercrime' police, instead of an independent team of specialised computer forensics experts bound to transparent, public reporting. All that means is that the embarrassing stuff will be kept under wraps and vetted by lawyers and concerned bureaucrats fearing 'any impacts on public confidence'.

    BTW: They say what was lost is information "provided to GoGet by the individual when they became, or attempted to become, a member. This includes:

    * name,

    * address,

    * email address,

    * phone number,

    * date of birth,

    * driver licence details,

    * employer,

    * emergency contact name and phone number, and

    * GoGet administrative account details"

    Looks damn near 100 points of info.

    The email they sent does not give specific advice on what to do. What can I do?

    Lock every credit file held on me by a credit reference agency? How long for?

    1. Anonymous Coward
      Anonymous Coward

      Re: What should I do?

      It's a lot of info to have on someone. All you might need to open an account with a bank, crypto broker account, possibly even a company or a securities trading account. Not just hosting services, e-commerce sites, domains. They'd probably have to link it to a bank account in the same name with some places, but with that much, an attacker can access all your current stuff, and apply for new things you'd never have dreamt possible.

      Maybe they can create a false passport, credit cards, anything you can do, especially if they can check your physical mailbox when they need to. Or they can just change your address when it suits them.

      Not sure what to do, but it's only a matter of time before credit agencies will become defunct if they don't monitor when people's identities get compromised.

  4. Anonymous Coward
    Anonymous Coward

    This is why I'll be happy when the reactionaries die out and I can get an ID chip implant. No one is going to steal my dog's identity that's for sure.

    I'd strongly suspect our suspect isn't a super whizz who's found his own zero-day. This is either the work of inside knowledge, social engineering, or a known exploit that's not been patched. I guess most of us would bet on the latter. And yep, if you don't patch your stuff and you get pwned, you should be 100% liable and publicly shamed to boot.

  5. Anonymous Coward
    Anonymous Coward

    Well they sucessfully buried this breach...

    It's been months now, not a sniff of a follow up anywhere. The sweep-to-doormat strategy worked! E.g.

    1. Don't disclose, or wait till the last moment such as when the first accused shows up in court or police mention it publicly

    2. Hide in plain sight (don't publish any links on the web, keep to the bare minimum (un-linked page) which is only accessible through a single link in an email sent to those that (legally) have to be informed

    3. Minimise media impact

    4. Disclose no further info, hope the police page is removed/search engines remote its rankings

    5. Avoid publicity and other mentions

    6. Nail those accused and settle in Court to ensure everyone remains quiet

    7. Make money out of click-thrus to the data slurpers (aka 'Credit reference agencies)

    Who needs protections when catastrophic loss has no impact other than a waste of public resources?

  6. Anonymous Coward
    Anonymous Coward

    When they sent out their email about the investigation

    Earlier they claimed:

    "We have established this dedicated FAQ webpage and will be updating it if, and when, any new information becomes available."

    Well so much for that, eh?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019