NYC's new Citi Bike program exposes card info of riders

Share this article:

New York City's two-month-old bike-sharing program, Citi Bike, sustained a data breach that exposed the personal and financial information of people who signed up for annual membership.

How many victims? 1,174.

What type of personal information? Names, credit card numbers and security codes, online account passwords, birth dates, contact information and security questions used to authenticate users of the Citi Bike website.

What happened? On April 15, before the program officially launched, the data of individuals who signed up for annual Citi Bike memberships was briefly accessible via the program's website due to a software glitch. The breach occurred because data stored on an “error log” file was exposed.

Citi Bike launched on May 27.

What was the response? NYC Bike Share, the operator of the Citi Bike program, hired a security firm to investigate. Last Friday, NYC Bike Share sent notification letters to affected individuals and plans to offer them  free credit and identity theft monitoring services.

Quote: “Notifications such as these are standard legal disclosures in any case where there is even the potential for information to have been improperly accessed,” Seth Solomonow, a spokesman for New York City's Department of Transportation, said. “While there is no evidence that any personal information was maliciously accessed or misused, NYC Bike Share engaged a security firm to investigate and recommend appropriate steps to make notifications and safeguard its customers, including to provide identity and credit monitoring free of charge.”

Source: The Wall Street Journal blog,, “Citi Bike Accidentally Exposes Customer Credit Card Information,” July 23, 2013.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Next Article in The Data Breach Blog

Sign up to our newsletters



More in The Data Breach Blog

Sourcebooks payment card breach impacts more than 5,000 customers

More than 5,000 customers had personal information stolen, but roughly 9,000 notification letters were sent out as a precautionary measure.

Cyberswim notifies customers that payment card data may be at risk

Malicious software installed on Sept. 24 may have compromised personal information for visitors that made purchases between May 12 and Aug. 28.

Marquette University notifies graduate applicants of possible breach

Settings for an internal file server were inadvertently modified, making graduate school applications accessible to anyone with Marquette University login credentials.