More than 1,000 people who signed up for a $95 annual membership to New York City’s Citi Bike program had their personal information up on a subsidiary’s website and was “briefly accessible” back in April. That info reportedly included sensitive stuff like credit card numbers, contact information, security codes, passwords and other personal data.
Citi Bike revealed the security breach in a letter sent to the 1,174 affected members last week, reports the Wall Street Journal, noting that the data breach happened on April 15.
The flaw that made the breach possible was discovered and corrected “at the end of May,” said a spokesman for the city’s Department of Transportation. It’s not clear why it took so long between identifying the problem and fixing it, and letting customers know what had happened.
According to NYC Bike Share LLC, an “error log” that had personal info that Citi Bike members use to access the site was available for anyone to see on the site on April 15, and was fixed as soon as it was discovered, said its president in the letter. Whether or not that information was used for any mischief or wrongdoing… who knows, at this point.
“Notifications such as these are standard legal disclosures in any case where there is even the potential for information to have been improperly accessed,” the NYC DOT spokesman wrote in an email. “While there is no evidence that any personal information was maliciously accessed or misused, NYC Bike Share engaged a security firm to investigate and recommend appropriate steps to make notifications and safeguard its customers, including to provide identity and credit monitoring free of charge.”
Citi Bike Accidentally Exposes Customer Credit Card Information [Wall Street Journal]