CITIBIKE ‘SHARES’ ITS INFO
Security breach
A Citibike data breach accidentally shared the personal and financial information of more than 1,000 riders online, according to a letter received by customers this week.
NYC Bike Share, which designs and manages the system, sent the notice to almost 1,200 customers, saying that their creditcard numbers, names, and addresses had been posted for 24 hours on a “back page” of their Web site until a glitch was corrected.
Katherine Goldstein, a 29yearold Brooklyn resident who works as an innovation editor for Slate, said she received a letter on Monday saying someone could have seen her information if they had the specific Web address to find it, and offered her free credit monitoring.
“I’m happy to be a member of Citibike, I’m not overly angry,” said Goldstein. “But it’s more that it’s a hassle. I was a little surprised, since it’s sponsored by a bank.”
She added that was she glad she had received the notice that told her what happened, noting that other companies with similar breaches have posted cryptic emails on their Web sites, rather than being direct about it.
“I feel in a way they handled it more responsibly,” she said.
Some Citibike customers took to Twitter after receiving the letter to air their anxiety.
“Just got this sketchy looking letter about a security breach on the Citibike Web site?” tweeted @keithmancuso yesterday. “Anyone else get this? Oddly calls it NYC bike share?”
He tweeted a copy of the letter to Citibike as well. “Is this legit?” he asked.
A DOT spokesman said that the letter was standard procedure for dealing with a security breach, and said there was no evidence that anyone had misused the data.
“Notifications such as these are standard legal disclosures in any case where there is even the potential for information to have been improperly accessed,” said Seth Solomonow, deputy commissioner for external affairs.
He added that NYC Bike Share, a local company that is part of Oregonbased Alta Bicycle Share, is using a security firm to investigate what happened and figure out how to safeguard their customers through services like identity and credit monitoring.
Avid Citibike rider Zachary Schenker, 36, said he was surprised that none of the data had been maliciously swiped so far.
“If the numbers were not misused, I think we can credit Citibike users for being standup people,” he said.
But he added that the Midtown restaurant he owns, Milk ’N Honey, has better security systems in place than NYC Bike Share does.
“I own a restaurant, and I never see the full creditcard number,” he said. “I would have thought they could implement something like that on some kind of secure Web site.”