Hacker compromised user data & illegally used car sharing service 33 times

A 37-year old IT security researcher and self-confessed computer hacker Nik Cubrilovic from Australia has been accused of illegally accessing the consumer database of Australian car-share firm GoGet. He has been taken to Lake Illawarra Police Station. It is the same person who previously informed GoGet Company on the flaws present in its software system that can make its system prone to cyber-attack.

Expert hacker with malicious deeds

Cubrilovic advertises himself as an ex-hacker turned “security consultant,” and his claim-to-fame is the identification of cyber-security flaws in several high-profile websites including that of the Australian government (MyGov) and Facebook.

The Penrose, Southern Highlands’ resident held a legitimate GoGet account, which he created in mid-2016. Soon after creating his account, Cubrilovic started sending a series of emails to GoGet advising them about the salient vulnerabilities he had identified in the company’s operating systems.

Accessed GoGet vehicles by hacking user data

After his arrest, Detective Superintendent Arthur Katsogiannis noted that the accused accessed vehicles in the Sydney metropolitan area and then returned all of them. A forensic examination of the computers confiscated from Cubrilovic will be conducted by the police to confirm the exact number of customers who got affected by this data breach. Det. Katsogiannis stated that although no financial data has been stolen investigations are still on-going.

According to the police investigations, Cubrilovic illegally accessed and downloaded customer information from GoGet twice and then used the data to steal access to vehicles around 33 times from May to July 2017.

“Customer details were compromised and downloaded but we don’t believe from the early investigation any were on sold or disseminated any further. With some of these individuals, it’s not all about getting the benefit, it’s about proving they can do something and enhancing their reputation online,” said Det. Katsogiannis.

Riot Squad in action

The investigations were instigated from July 2017 when GoGet reported the police about detection of unauthorized access to the company’s fleet booking system. After extensive inspection carried out by Strike Force Artsy detectives in collaboration with the Public Order and Riot Squad, a search warrant was issued and Cubrilovic’s residence in Penrose was searched this Tuesday morning. The police took into its custody several computers, electronic storage devices, and laptops after searching the house.

Hacker busted for using car sharing service after hacking customers data
Nik Cubrilovic during AusCERT Conference in 2016. (Credit: YouTube)

The accused appeared in Wollongong Local Court through live streaming. During the hearing, the prosecution stated that Cubrilovic was interviewed last year as a security consultant by the ABC’s Four Corners program. The prosecution also argued that if the accused gets a bail, he might commit further offenses like uploading the stolen database on the internet. Conversely, the defense counsel argued that this is an “overblown” case.

No Internet for Cubrilovic

As of now the accused is on bail under strict limitations; he had surrendered his passport and he cannot contact GoGet customers or employees or access the internet or cryptocurrency platforms while he will be reporting to the police thrice in a week.

An email was sent to current and former customers of GoGet in which the CEO of the company Tristan Sender apologized for the data breach. “We are sorry that this has happened. We take your privacy very seriously and have been working hard to get the best outcome from this police investigation,” wrote Sender.

GoGet has confirmed that customers who got registered to its services post-July 27th haven’t been affected with this data breach and only those who signed up or updated their payment card data between 25 May 2017 and 27 July 2017 could have been affected by this incident.

Charged

Cubrilovic has been charged with two counts of unauthorized access, impairment, and modification with intent to carry out the serious criminal offense and 33 counts of taking and drive conveyance without obtaining the consent of the owner. He created over 30 bookings on 5 vehicles, which included an Audi A3 convertible for two months’ period. Every time he charged the vehicle hire fee to someone else’s account. The total amount owned by Cubrilovic is AUD 3423 (USD 2771/Euro 2224), according to the police.

An expert hacker and security researcher

It is worth noting that when the accused informed GoGet about flaws in its systems, the company rewarded him by waiving the money that he owed. Later, using his advanced hacking skills, Cubrilovic gained access to GoGet’s customer data after his girlfriend’s account got suspended.

Cubrilovic is the same hacker who revealed out how Facebook store user data and track people who are not even part of the social media site. Watch Australian Broadcasting Corporation’s video talking about Cubrilovic’s findings:

More: Uber Paid Hackers $100k to Hide Massive Theft of 75M Accounts

Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.