A prominent IT security consultant allegedly hacked GoGet to take his Swedish girlfriend on joyrides in luxury cars for free.
Nik Cubrilovic was accused of racking up a $3,000 bill hiring out 33 cars including an Audi A3 between May and July 2017, using other customers’ details.
His girlfriend Britta Johansson even posted a photo to Instagram of the couple driving around Wollongong in a high-end GoGet car in May last year.
Prominent IT security consultant Nik Cubrilovic allegedly hacked GoGet to take his Swedish girlfriend on joyrides in luxury cars for free (couple pictured in one of them in May 2017)
He was accused of racking up a $3000 bill hiring out 33 cars including an Audi A3 between May and July 2017, using other customers’ details
The 37-year-old was arrested by heavily-armed riot and cyber crime police at his home in Penrose in the NSW Southern Highlands on Tuesday morning.
He allegedly gained access to the car hire company’s fleet booking system to download customer identification information from the database.
Cubrilovic used the names, addresses, email addresses, phone numbers, dates of birth and drivers’ licence details to steal and return the cars, police alleged.
He was charged with two counts of unauthorised access or modification, and 33 counts of stealing cars, and faced Wollongong Local Court on Wednesday.
Prosecutors asked for him to be denied bail fearing he could ‘destroy evidence’ or hide it in his Amazon cloud account, according to the Daily Telegraph.
Cubrilovic and his girlfriend Britta Johansson driving in a luxury convertible earlier in their relationship before he allegedly started hacking GoGet
The couple have been in a relationship since at least mid-2015 according to their social media
‘Investigators believe that if the accused is granted bail he will delete evidence and may use stolen identity details to create fake identity evade police and the courts,’ Detective Simon Hulme said in court documents.
Police said Cubrilovic was ‘extremely uncooperative’ and refused to allow them access to his devices, and it would be difficult to monitor him 24/7.
They also warned in the court documents that he was a ‘significant risk’ of fleeing to Sweden, Ms Johansson’s homeland, to evade the charges.
The couple have been in a relationship since at least mid-2015, according to their social media that show them taking many glamorous trips together.
There was no suggestion from police that Ms Johansson knew her boyfriend had obtained the cars illegally and she was not arrested.
The well-known hacker was granted bail on the condition he didn’t have access to the internet or his Bitcoins and surrendered his passport.
Cubrilovic rose to prominence in 2011 when he exposed a Facebook privacy flaw which meant users’ web-browsing was being tracked even after they logged out.
The 37-year-old was arrested by heavily-armed riot and cyber crime police at his home in Penrose in the NSW Southern Highlands on Tuesday morning
A man who allegedly hacked into car-sharing service GoGet and stole over 30 cars is behind bars after a police raid (pictured are police officers during the arrest)
His letter to the social media giant made international news and forced Facebook to make significant changes to its privacy systems.
Then in 2014 he revealed vulnerabilities in the Australian Government’s myGov websites left the private information of millions exposed.
He demonstrated how he could easily exploit the weaknesses and hijack the account of any user and steal their identity.
‘If you were to score this [myGov] site out of 10 in terms of security it would be, like, zero or barely half a point,’ he said at the time.
The New South Wales Police riot squad arrested the man, 37, at a home in Penrose in the NSW Southern Highlands on Tuesday morning (pictured is the arrested man with police officers)
GoGet apologised to customers in an email on Wednesday (pictured are police officers with the arrested man)
It is alleged the man gained unauthorised access into GoGet’s fleet booking system to download customer identification information from the database (pictured are police officers during the arrest)
Cubrilovic the same year ran a blog that analysed security holes in various companies including Apple’s iCloud.
He explained in detail how the notorious 2014 celebrity photo leak, which led to thousands of nude photos being published online, was able to occur.
More recently he was researching how inadvertently leaked company information was being used to make millions on the stockmarket from insider trading.
Cubrilovic’s arrest followed a six-month investigation by the Cybercrime Squad that began in July, after GoGet approached police.
Detective Superintendent Arthur Katsogiannis said customer details were not on-sold or used for any other purpose other than to steal cars.
He said GoGet’s database was monitored during the investigation and users would have been warned if they were believed to be at risk.
‘What’s happened here is you’ve got a company that was proactive, on the front foot, came forward and reported the matter,’ he said.
Police warned Cubrilovic was a ‘significant risk’ of fleeing to Sweden, Ms Johansson’s homeland, to evade the charges
The well-known hacker appeared to have expensive taste as he was pictured casually downing a $200 bottle of Scotch
Superintendent Katsogiannis said making the breach public would have endangered the investigation and police gave ‘strong advice’ to GoGet to keep quiet.
GoGet chief executive Tristan Sender apologised to customers in an email on Wednesday, saying the company took privacy ‘very seriously’.
‘Although the investigation by NSW Police is ongoing, it appears that the suspect was accessing GoGet’s systems in an attempt to use GoGet vehicles without permission,’ he said.
Customers were assured their payment card details had not been affected by the incident.
‘Based on advice from the NSW Police Cybercrime Squad, at this time there is no evidence of misuse of, or that the suspect has disseminated any of, your personal information,’ he said.
‘[That] includes your name, address, email address, phone number, date of birth, drivers licence details and other GoGet administrative account details.’
He then allegedly used the information to steal 33 vehicles between May and July 2017, police said (pictured are police officers during the arrest)
Customers were assured their payment card details had not been affected by the incident (pictured are police officers during the arrest)
Sorry we are not currently accepting comments on this article.