The data was exposed via a software glitch and included customers' names, contact information, credit card numbers and security codes, passwords, and birth dates.
While the data leak apparently took place on April 15, a few weeks before the program launched in the city, the company didn't notify the affected customers until July 19. According to the Wall Street Journal, Citi Bike discovered the breach at the end of May and corrected it immediately.
"Notifications such as these are standard legal disclosures in any case where there is even the potential for information to have been improperly accessed. This potential security issue affected 1,174 of NYC Bike Share's approximately 180,000 customers," New York City Department of Transportation spokesman Seth Solomonow told CNET. "While there is no evidence that any personal information was maliciously accessed or misused, NYC Bike Share engaged a security firm to investigate and recommend appropriate steps to make notifications and safeguard its customers, including to provide identity and credit monitoring free of charge."
Citi Bike is a city-run bike-sharing program in New York that lets users pick up and drop off bicycles at docking stations throughout the city with a $95 annual membership. The bikes are available 24 hours a day and 365 days a year.
When the program launched in late May, more than 16,000 people had already signed up for the bike share. Now, Citi Bike has about 61,000 members and has served 180,000 customers, which includes people buying annual, weekly, and daily passes.
Identity management company IDentity Theft 911 told CNET that affected customers should take certain steps to safeguard their private information. IDentity Theft 911 chairman Adam Levin said that users should change their passwords for other Web sites if they used the same password, watch out for e-mail and text scams, and place a fraud alert on their credit file.
Update, 4:35 p.m. PT: Adds comment from New York City Department of Transportation spokesman Seth Solomonow.
Correction, July 24 at 2:20 p.m. PT: Adjusts the spelling of IDentity Theft 911 and the descriptor of the company.