NYC's new Citi Bike program exposes card info of riders

Share this article:

New York City's two-month-old bike-sharing program, Citi Bike, sustained a data breach that exposed the personal and financial information of people who signed up for annual membership.

How many victims? 1,174.

What type of personal information? Names, credit card numbers and security codes, online account passwords, birth dates, contact information and security questions used to authenticate users of the Citi Bike website.

What happened? On April 15, before the program officially launched, the data of individuals who signed up for annual Citi Bike memberships was briefly accessible via the program's website due to a software glitch. The breach occurred because data stored on an “error log” file was exposed.

Citi Bike launched on May 27.

What was the response? NYC Bike Share, the operator of the Citi Bike program, hired a security firm to investigate. Last Friday, NYC Bike Share sent notification letters to affected individuals and plans to offer them  free credit and identity theft monitoring services.

Quote: “Notifications such as these are standard legal disclosures in any case where there is even the potential for information to have been improperly accessed,” Seth Solomonow, a spokesman for New York City's Department of Transportation, said. “While there is no evidence that any personal information was maliciously accessed or misused, NYC Bike Share engaged a security firm to investigate and recommend appropriate steps to make notifications and safeguard its customers, including to provide identity and credit monitoring free of charge.”

Source: The Wall Street Journal blog,, “Citi Bike Accidentally Exposes Customer Credit Card Information,” July 23, 2013.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Next Article in The Data Breach Blog

Sign up to our newsletters


More in The Data Breach Blog

Two laptops containing patient data stolen from American Family Care

The two laptops stolen from American Family Care were password protected, yet unencrypted, and may have contained Social Security numbers.

Viator investigates payment card breach, notifies 1.44 million customers

More than 1.4 million Viator customers are being notified that their personal data, including payment card information, may have been compromised.

Florida medical center hit with breach for third time in two years

Aventura Hospital and Medical Center has reported a data breach for the third time in two years.