More than 1,000 esteemed CitiBike members had their personal data, including credit card number and addresses, exposed due to a security breach. Gothamist obtained a letter issued to a biker named Cody from the program’s owner NYC Bike Share LLC, which operates under the bank’s name, that several users’ information was exposed because of an URL error.
The letter was so slapdash and poorly crafted that it left him wondering whether it might all be a scam.
First off, the breach occurred on April 15 — and users were finally alerted of it more than three months later last Friday. He told Gothamist that the letter misidentified the last four digits of his credit card number and if his credit card information was stolen, he would’ve liked to known about it sooner.
Another letter also piqued Cody’s interest since it was from CEO Michael Jones, somebody he’s never heard of, and the makings were equally vague. “It doesn’t say what company, and there was no letterhead, no address, no logo,” he told Gothamist.
Donning his Nev Schulman suit, Cody searched online for his name and discovered that Mr. Jones is the president of Alta Bicycle Share, the owner of NYC Bike Share LLC.
Alta Bicycle Share told the Wall Street Journal that yep, the letter and the breach are both real but didn’t disclose why it took so long to tell users. Those who signed up for the $95 annual membership (hello @Dens!) were affected:
“While there is no evidence that any personal information was maliciously accessed or misused, NYC Bike Share engaged a security firm to investigate and recommend appropriate steps to make notifications and safeguard its customers, including to provide identity and credit monitoring free of charge,” a spokesman said.
Now Cody is starting to doubt the CitiBike program. “This is kind of starting to change my mind,” he said to Gothamist. “I’m definitely skeptical of them as a company at this point.”
Aren’t we all?