Cyber Incident Victim: CityBee

On February 15, 2021, cybercriminals leaked personal data belonging to approximately 110,000 customers of Lithuanian car-sharing service CityBee on an online hacker forum registered abroad. The compromised records included full names, personal identification numbers, telephone numbers, email and home addresses, driver's licence numbers, and encrypted passwords. CityBee confirmed the breach on February 17, stating the exposed dataset originated from company systems three years prior to the incident. The attackers offered the stolen information for sale on the forum but did not compromise financial data or payment method details, according to the company's assessment. CityBee immediately notified affected customers via public statements, urging them to change their email addresses and passwords used for the service, particularly if reused across other platforms.

Lithuanian authorities initiated multiple coordinated responses following the breach notification. The Criminal Police Bureau opened a pre-trial investigation in collaboration with CityBee, publicly warning citizens against purchasing or disseminating the stolen data. Concurrently, the State Data Protection Inspectorate (VDAI) launched an independent investigation into CityBee's data protection policies and compliance measures. VDAI Director Raimondas Andrijauskas emphasized interagency cooperation to limit further illegal processing of the exposed information. Lithuania's Ministry of Justice scheduled emergency meetings with data protection officials to evaluate regulatory implications, with Minister Evelina Dobrovolska characterizing personal data theft as highly sensitive and demanding swift institutional action. Legal consequences for the perpetrators could range up to four years' imprisonment under Lithuanian law, extendable to six years if economic or national security impacts were subsequently demonstrated.