A security breach at bicycle-sharing operation oBike has exposed the personal information of users in Singapore and 13 other countries.
A spokesperson for the company said the data leak “stemmed from a gap in our [application programming interface] that allowed users to refer a friend to our platform.” With the oBike app, users can send invitation codes and share finished rides on their social networks. It’s through this process that users unknowingly gave the app access to their personal information. Only the app didn’t properly safeguard that data, which means criminals could have stolen it and could eventually leverage it to commit identity fraud.
The breach lasted at least two weeks. It might date as far back as June 2017, however, as this case of information leakage documents. Ultimately, oBike patched a second vulnerability on 29 November 2017.
A spokesperson for the company says oBike wasted no time in responding to the breach. As quoted by CNET:
We were made aware of the issue, and worked quickly to resolve it immediately. This only affected a small handful of our users. The personal data that was exposed was limited to user names, email addresses and mobile numbers. The app does not store credit card details or passwords of users.
They went on to say that the company also disabled the API and added extra security layers to protect users’ information.
In January 2017, oBike first implemented its bicycle-sharing platform in Singapore. It’s a dockless system, which means users with the mobile app can scan an eligible bike to use it and to then drop it off in a public bike-parking area when they’re done. oBike also operates in Australia, Malaysia, Switzerland, Germany, the UK, and elsewhere.
The company might have fixed the security issue, but it could still face consequences for not implementing proper data security measures. For instance, Thomas Kranig, President of the Bavarian State Office for Data Protection Supervision (Landesamt für Datenschutzaufsicht), told the BR that the data leak violated the Data Protection Act:
In our opinion, the company Obike commits a data protection violation because the data security requirements are not met. In preparation for a control procedure, the Berlin commissioner for data protection and freedom of information is currently examining her responsibility for this issue.
He went on to say that the breach violated transparency rules because oBike failed to notify users that it was storing their personal information.
With possible legal ramifications at play here, Mr. Edward Lim of security firm RSA feels there needs to be better testing for APIs. In particular, he noted to The Straits Times how “firms could incorporate vulnerability assessment at every major stage of the API development, instead of only upon completion of the apps.”
News of this this breach follows less than a month after the world learned of a massive breach impacting 57 million Uber customers and drivers that went undisclosed for more than a year.