A prominent hacker, entrepreneur and IT security consultant has been granted bail after appearing in a NSW court accused of breaching car-sharing company GoGet's systems to steal vehicles.
Nik Cubrilovic, 37, was arrested by the riot squad at Penrose, in the state's Southern Highlands, on Tuesday following a six-month police investigation.
GoGet went public about the breach and apologised to customers in an email on Wednesday morning, about seven months after it first noticed suspicious activity in late June 2017.
Cubrilovic is accused of accessing the company's fleet booking system and downloading customer identification information including names, addresses, email addresses, phone numbers, dates of birth and drivers' licence details.
He allegedly stole and returned more than 30 cars between May and June.
Cubrilovic became prominent in 2011 after he exposed a Facebook privacy flaw which meant the social media giant was tracking web-browsing activity even after users logged out.
He was charged with two counts of unauthorised access, modification, or impairment with intent to commit a serious indictable offence, and 33 counts of taking and driving a conveyance without the owner's consent.
He appeared in Wollongong Local Court on Wednesday and was granted bail on conditions including that he has no internet access, reports daily to police and surrenders his passport.
Detective Superintendent Arthur Katsogiannis said customer details were not on-sold or disseminated.
Cyber-dependent crimes were not usually resolved, he said.
"What's happened here is you've got a company that was proactive, on the front foot, came forward and reported the matter," Det Supt Katsogiannis said.
However, some customers vented their frustration online at not being told sooner.
Police say they monitored the company's database during the investigation and would have notified any individual if they believed they were at risk.
Going public with the breach would have potentially compromised the investigation, Det Supt Katsogiannis said, and police gave "strong advice" to GoGet to keep it under wraps.
The company's chief executive Tristan Sender said GoGet took privacy "very seriously".
"We are sorry that this has happened," he said in an email to customers.
Police are searching through seized computers and storage devices and trying to establish the number of customers affected by the breach.
Cubrilovic is scheduled to appear in Downing Centre Local Court on April 24.
