oBike failed to address a data breach for two whole weeks. Source: Shutterstock

Did oBike take too long to respond to its massive data breach?

SINGAPORE’S first homegrown bike-sharing service, oBike, was recently hit by a massive data breach that compromised unencrypted user data in 14 countries across the globe and lasted at least two weeks before the bike-sharing startup was able to address the security issue.

While oBike was eventually able to secure its systems, a cybersecurity expert has asserted that the homegrown startup’s response to the leak was inadequate as a whole.

According to a CNET report, oBike’s systems were compromised sometime in June, when cybersecurity experts in Taiwan discovered the vulnerability in the bike-sharing firm’s API. The experts from Taiwan reportedly contacted oBike about the issue when it was discovered, but the startup did not issue a response.

In a statement to CNET, however, an oBike spokesman asserted that once the company was made aware of the data breach, a resolution to the problem was immediately sought. The spokesman further stated that very few users were actually affected by the breach and that no sensitive data was compromised.

“We were made aware of the issue, and worked quickly to resolve it immediately,” the spokesman told CNET. “This only affected a small handful of our users. The personal data that was exposed was limited to usernames, email addresses, and mobile numbers. The app does not store credit card details or passwords of users.” 

A commuter rides an Obike during evening rush hour in Singapore. Source: Reuters

Speaking to The Straits Times, another spokesman for the Singapore-based bike-sharing startup also assured the service’s users that all vulnerabilities had been adequately addressed. Due to the data breach, however, the spokesman also stated that oBike is currently at work in improving its security systems.

“We have since fixed the loophole by disabling the API and created additional security layers,” the spokesman said, adding that the systems were now fully restored and secure. “We are re-looking the sharing and security functions of the app, to ensure that no further user data is compromised.” 

While oBike seems to be confident that it has managed to contain its recent data breach in an adequate manner, LogRhythm Vice-President for Asia Pacific and Japan Bill Taylor-Mountford believes that the bike-sharing service could have handled its recent security breach a lot better.

In a statement to Tech Wire Asia, the cybersecurity expert asserted that overall, oBike simply took too much time in addressing its security issue. Such time, according to Taylor-Mountford, could have resulted in massive damages, especially to oBike’s user base.

“In the current threat landscape, any company that handles personal information must be prepared for the eventuality that vulnerabilities will be exploited. In oBike’s case, the security flaw was made known to the organization for months, but no actions were taken to safeguard their customer’s information.

“The time to detect and respond to such vulnerabilities must simply be reduced because it will significantly reduce the damage done. Taking months or even weeks cannot and should not be accepted. It’s imperative to understand that the implications of such leaks do not exist in a vacuum but instead set off a chain reaction – criminals will often use information gleaned from multiple sources to form a portfolio of their would-be victims.

“With so many consumer apps demanding personal information, we need to start questioning the data protection capabilities of such organizations. In turn, businesses need to pay more attention to the data they make available, or risk exposing their customers to cybercrime.”