The computer system for the Danish capital area city bikes program went offline as a result of a malicious hacking attack.
On 5 May, the administrators of Bycyklen posted a statement informing the public of a hack that occurred sometime over the previous evening:
Everything was erased and our entire system went down as a result of the malicious action. Since the hacking, we have been working hard to solve the problem, but unfortunately, it’s not something we can fix with a snap of the fingers.
According to the program’s “How to” page, Bycyklen enables residents living in Copenhagen, Frederiksburg and surrounding areas to create an account online or on the Android tablet of one of the program’s 1,860 bikes. They can then authenticate themselves at a station with their username and PIN to rent a bike for an hourly fee. Once they’ve finished using the bike, members of the public must return it to an approved Bycyklen station.
Bycyklen issued two updates regarding the hacking attack on its Facebook page the following day. The first revealed that officials needed to go to the docking stations, manually update each affected bike and then charge them up before members could ride them again. The second urged users to report bikes not located in a docking station in exchange for one hour of free riding time.
After having the weekend to investigate the incident, Bycyklen confirmed in an update posted to its website that the hacking attack had not affected users’ data. Administrators of the program clarified this point by sharing how Bycyklen doesn’t store payment information and records only users’ email addresses, phone numbers and PIN codes protected using “salted password hashing,” a method of encryption which helps keeps passwords secure.
Even so, Bycyklen is urging all users to update their PINs as soon as possible just to be safe.
All bikes operating under Bycyklen were back up and running on 9 May, according to a third announcement made on Facebook.