OxBykes reports data breach caused by App misconfiguration

Bicycle rental company OxBykes said it suffered a data security incident caused by a misconfiguration in its mobile app, which inadvertently exposed customer data to the public.

 

Founded in 2022, OxBykes operates primarily in Oxford and Cambridge and offers a fleet of bicycles available for both short-term and long-term hire. The company operates 25 depots in Oxford, 14 in Cambridge, and three in London, offering bicycles for immediate collection upon purchase.

 

Recently, the BBC reported that on May 13, a user of OxBykes’ mobile app was inadvertently granted administrative-level access to the company’s database. According to screenshots shared by the user, the app displayed sensitive personal data of OxBykes customers including their names, contact details and order history.

 

The user added that the issue was discovered while attempting to contact the customer support team after being unable to locate a rented bike and was “accessible throughout the past week.”

 

In fact, the company’s founder Louis Wright later contacted the OxByke user directly via WhatsApp, explaining the technical glitch and requested the user not to disclose the confidential data.

 

In a statement shared with the BBC, OxBykes CEO Tom Widgery, said, “the company was made aware today that a very limited selection of customer data from a small number of customers may have been accessed as a result of a previously resolved vulnerability.

 

“We are treating this matter with the utmost urgency and are currently speaking to our lawyers to understand the full implications of the situation.We have already taken steps to patch the security flaw and are working to understand the extent of any data exposure,”Widgery added.

 

The company has reported the incident to the Information Commissioner’s Office (ICO) and will notify customers who may have been affected directly.