Singapore-based bike-sharing company oBike has reportedly suffered a global security breach that exposed Personally Identifiable Information (PII) of oBike riders.
The breach, which was first reported by Bavarian news agency BR24, lasted for two weeks and affected user data including names, phone numbers, email addresses, and profile pictures. However, payment card data was not affected by the breach.
Perhaps most disturbingly, hackers even gained access to users’ location data, letting them track routes that customers took on the rented bicycles.
According to the news report, affected data was not encrypted.
A spokesperson for the company said the breach "stemmed from a gap in our API (application programming interface) that allowed users to refer a friend to our platform.”
Once aware of the issue, oBike fixed the loophole by disabling the troubled API and creating additional security layers, the spokesperson said, though she did not give details on specific time of the breach.
oBike also declined to disclose exactly how many users were affected in the breach but did confirm that users in “five markets—Singapore, Malaysia, Switzerland, Germany, and Great Britain—were at risk.
The Personal Data Protection Commission (PDPC) in Singapore said that it is aware of the breach, and has reached out to oBike for more details.
The news of oBike’s user data leak closely follows last month’s revelation that ride-sharing giant Uber suffered a massive data breach in 2016—and subsequently attempted to cover it up by paying a ransom of US$100,000 (S$135,000) to hackers. The breach exposed the PII of approximately 57 million Uber passengers worldwide, as well as 600,000 drivers. A 20-year-old Florida-man was responsible for the breach, according to recent reports.
PII Marketplaces and APAC Cybersecurity Concerns
The sort of PII lost in these breaches, such as names, home addresses, emails, and phone numbers, is often sold and traded en-masse by cybercriminals, who make the ill-gotten information available on dark web marketplaces. The end goal is to use data obtained in multiple breaches to create full dossiers on individuals, which provide enough information to facilitate further attacks such as fraud or identity theft. Such dossiers, commonly known as “fullz” typically sell for $10 a piece on the dark web.
Hacks and data breaches of this nature often go unreported in the Asia Pacific region, because most nations in the region do not require companies that have been targeted to publically acknowledge their breaches. However, recent reports indicate that data breaches are on the rise in the APAC region. 86 percent of organizations in the region have suffered a security breach over the past couple of years, according to an online survey conducted by Fortinet.