<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1678611822423757&amp;ev=PageView&amp;noscript=1">

oBike Data Breach Highlights APAC Cybersecurity Concerns

Jeff Edwards| December 11 2017

| security


Singapore-based bike-sharing company oBike has reportedly suffered a global security breach that exposed Personally Identifiable Information (PII) of oBike riders.


The breach, which was first reported by Bavarian news agency BR24, lasted for two weeks and affected user data including names, phone numbers, email addresses, and profile pictures. However, payment card data was not affected by the breach.


Don't let your business data fall into the wrong hands. Download this free  eBook.


Perhaps most disturbingly, hackers even gained access to users’ location data, letting them track routes that customers took on the rented bicycles. 


According to the news report, affected data was not encrypted.


A spokesperson for the company said the breach "stemmed from a gap in our API (application programming interface) that allowed users to refer a friend to our platform.”


Once aware of the issue, oBike fixed the loophole by disabling the troubled API and creating additional security layers, the spokesperson said, though she did not give details on specific time of the breach. 


oBike also declined to disclose exactly how many users were affected in the breach but did confirm that users in “five markets—Singapore, Malaysia, Switzerland, Germany, and Great Britain—were at risk. 


The Personal Data Protection Commission (PDPC) in Singapore said that it is aware of the breach, and has reached out to oBike for more details.


The news of oBike’s user data leak closely follows last month’s revelation that ride-sharing giant Uber suffered a massive data breach in 2016—and subsequently attempted to cover it up by paying a ransom of US$100,000 (S$135,000) to hackers. The breach exposed the PII of approximately 57 million Uber passengers worldwide, as well as 600,000 drivers. A 20-year-old Florida-man was responsible for the breach, according to recent reports.

Related: Ransomware As A Service Providers Only Take Bitcoin

PII Marketplaces and APAC Cybersecurity Concerns


The sort of PII lost in these breaches, such as names, home addresses, emails, and phone numbers, is often sold and traded en-masse by cybercriminals, who make the ill-gotten information available on dark web marketplaces. The end goal is to use data obtained in multiple breaches to create full dossiers on individuals, which provide enough information to facilitate further attacks such as fraud or identity theft. Such dossiers, commonly known as “fullz” typically sell for $10 a piece on the dark web.


Hacks and data breaches of this nature often go unreported in the Asia Pacific region, because most nations in the region do not require companies that have been targeted to publically acknowledge their breaches. However, recent reports indicate that data breaches are on the rise in the APAC region. 86 percent of organizations in the region have suffered a security breach over the past couple of years, according to an online survey conducted by Fortinet. 

Topics: security

Leave a Reply

Your email address will not be published. Required fields are marked *


Jeff Edwards is a tech writer and analyst with three years of experience covering Information Security and IT. Jeff has written on all things cybersecurity, from APTs to zero-days, and previously worked as a reporter covering Boston City Hall.

Free Trials

Getting started has never been easier. Download a trial today.

Download Free Trials

Contact Us

Let us know how we can help you. Focus on what matters. 

Send us a note

Subscribe to our Blog

Let’s stay in touch! Register to receive our blog updates.