oBike reviews app security after data breach

This article is more than 12 months old

Bike-sharing operator recently had data breach that affected users in 14 countries

Bicycle-sharing operator oBike is reviewing the security of its app following a leak that affected its users' data in 14 countries worldwide.

German broadcaster Bayerischer Rundfunk reported last week that unencrypted oBike user data - names and ride locations, for example - were accessible online.

A spokesman for the Singapore-based company yesterday said it was made aware of the issue two weeks ago and worked quickly to resolve it immediately. He said it affected only a handful of users.

"As (we are) a tech company, users' data and security are of paramount importance to us," he said, adding that credit card details and user passwords were not stored in the app and were not leaked.

The leak resulted from a gap in the oBike app's application programming interface (API) that allowed users to refer their friends to the firm's services.

"We have since fixed the loophole by disabling the API and created additional security layers," the spokesman said, adding that the systems were now fully restored and secure.

"We are relooking the sharing and security functions of the app, to ensure that no further user data is compromised."

When contacted, the Personal Data Protection Commission said it was aware of the breach and had asked oBike for more details.

oBike rolled out its bicycles in Singapore in January and has since expanded to other cities worldwide, including Melbourne and London.

In response to news of the data leak, rival bike-sharing firm ofo said it "does not collect, process or access any individual user data or information in (its) work".

Instead, it uses only accumulated rider information for data analysis purposes, it said.


A spokesman for Mobike said it had "robust data management protocols" in place to protect user data, adding it did not share users' personal data with third parties without consent.

The news of oBike's user data leak comes after it was revealed last month that ride-hailing giant Uber covered up a data breach last year.

The breach exposed the personal details of 57 million passengers and drivers worldwide to hackers. The American company had not informed the authorities about the attack, and, instead, paid hackers US$100,000 (S$135,000) to delete the compromised data.

Last month, the NRIC numbers of hundreds of Xinmin Secondary School students were leaked online.

"The sad reality is that this kind of incident is getting more common," said Mr David Maciejak, security research director for cyber security provider Fortinet.

He said people should take steps to protect their own data, such as by using a virtual credit card, which provides users with a disposable credit card number.

Akamai Technologies security chief technology officer Michael Smith warned people against reusing passwords across multiple websites and applications.

He suggested the use of password manager applications such as LastPass instead. LastPass creates a private account where users can store encrypted passwords.