A Citi Bike software problem earlier this month resulted in a security breach for over 1,000 members, and was followed by a confusing scramble on behalf of the bike share program to contain the damage. We received a tip today from a Citi Bike member named Cody, who yesterday received a bizarre correspondence from the company alerting him to the fact that his account information—including his name, address and credit card number, expiration date and security code—may have been compromised during a "data breach," which was temporarily made public due to a URL error.
Sounds reasonable enough. But the letter, dated July 19—one day after Citi Bike's credit card machines went down for 45 minutes—contained some strange errors that caused Cody to doubt the letter's authenticity.
For one, he wrote, he never received an email about the security breach, nor could he find any relevant information regarding possible trouble on Citi Bike's website."If someone possibly stole my CC info, I'd like to know about it ASAP, not three days after the fact," he wrote in an email. He also noticed that though much of his credit card number was correct, the last four digits were wrong. (A customer service representative referred to this as a "clerical error.")
But perhaps the most curious part of the letter was that it referred Cody to a private online credit services website, a program it assured him would be free...for a year. "So if you forget to cancel it after a year, are they going to start charging you?" Cody asked.
A separate letter from CEO Michael Jones was included in the envelope, apologizing for the issue. Fine, fine, Cody, said. But who the hell is Michael Jones?
"It just said 'President,' he told us. "It doesn’t say what company, and there was no letterhead, no address, no logo."
Some Googling revealed that Michael Jones is the head of Alta Bicycle Share, the company that operates Citi Bike. But Cody certainly didn't know that. Furthermore, Jones refers recipients to a number members can call to "very the authenticity" of this letter. Really, Michael Jones? How do you 'very the authenticity' of something?
DOT spokesman Seth Solomonow confirmed that the breach was real, and that the letter is authentic, adding that the issue affected the information of 1,174 of Citi Bike's 180,000 customers. "While there is no evidence that any personal information was maliciously accessed or misused, NYC Bike Share engaged a security firm to investigate and recommend appropriate steps to make notifications and safeguard its customers, including to provide identity and credit monitoring free of charge," Solomonow said.
But the letter's several errors still struck Cody as odd.
"The whole thing is just really weird," he said. "So you're sending a letter ensuring that you care about the security of my data, but in the letter you cant even be bothered to get my data correct?"
He said with a few exceptions, he's been happy with his Citi Bike experience. But the shadiness of this incident is causing him to question whether he wants to keep his membership.
"This is kind of starting to change my mind," he said. "I'm definitely skeptical of them as a company at this point."