Breach, Data Security

NYC’s new Citi Bike program exposes card info of riders

New York City's two-month-old bike-sharing program, Citi Bike, sustained a data breach that exposed the personal and financial information of people who signed up for annual membership.

How many victims? 1,174.

What type of personal information? Names, credit card numbers and security codes, online account passwords, birth dates, contact information and security questions used to authenticate users of the Citi Bike website.

What happened? On April 15, before the program officially launched, the data of individuals who signed up for annual Citi Bike memberships was briefly accessible via the program's website due to a software glitch. The breach occurred because data stored on an “error log” file was exposed.

Citi Bike launched on May 27.

What was the response? NYC Bike Share, the operator of the Citi Bike program, hired a security firm to investigate. Last Friday, NYC Bike Share sent notification letters to affected individuals and plans to offer them  free credit and identity theft monitoring services.

Quote: “Notifications such as these are standard legal disclosures in any case where there is even the potential for information to have been improperly accessed,” Seth Solomonow, a spokesman for New York City's Department of Transportation, said. “While there is no evidence that any personal information was maliciously accessed or misused, NYC Bike Share engaged a security firm to investigate and recommend appropriate steps to make notifications and safeguard its customers, including to provide identity and credit monitoring free of charge.”

Source: The Wall Street Journal blog,, “Citi Bike Accidentally Exposes Customer Credit Card Information,” July 23, 2013.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.