NYC's new Citi Bike program exposes card info of riders

Share this article:

New York City's two-month-old bike-sharing program, Citi Bike, sustained a data breach that exposed the personal and financial information of people who signed up for annual membership.

How many victims? 1,174.

What type of personal information? Names, credit card numbers and security codes, online account passwords, birth dates, contact information and security questions used to authenticate users of the Citi Bike website.

What happened? On April 15, before the program officially launched, the data of individuals who signed up for annual Citi Bike memberships was briefly accessible via the program's website due to a software glitch. The breach occurred because data stored on an “error log” file was exposed.

Citi Bike launched on May 27.

What was the response? NYC Bike Share, the operator of the Citi Bike program, hired a security firm to investigate. Last Friday, NYC Bike Share sent notification letters to affected individuals and plans to offer them  free credit and identity theft monitoring services.

Quote: “Notifications such as these are standard legal disclosures in any case where there is even the potential for information to have been improperly accessed,” Seth Solomonow, a spokesman for New York City's Department of Transportation, said. “While there is no evidence that any personal information was maliciously accessed or misused, NYC Bike Share engaged a security firm to investigate and recommend appropriate steps to make notifications and safeguard its customers, including to provide identity and credit monitoring free of charge.”

Source: The Wall Street Journal blog,, “Citi Bike Accidentally Exposes Customer Credit Card Information,” July 23, 2013.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Next Article in The Data Breach Blog

Sign up to our newsletters



More in The Data Breach Blog

Malware on Breyer Horses website for about 18 months, payment card data ...

Malware installed on the computer server hosting the Breyer Horses website may have compromised personal information for people who made purchases between March 31, 2013 and Oct. 6.

Transcript website flaw exposed personal data on 98k users expose users' names, addresses and dates of birth, among other information, due to a site flaw that one user discovered.

Sourcebooks payment card breach impacts more than 5,000 customers

More than 5,000 customers had personal information stolen, but roughly 9,000 notification letters were sent out as a precautionary measure.