Cyber Incident Victim: BCycle
Date:
Jan 2020
Location:
United States of America
Summary
A Texas-based bicycle sharing service experienced a malware breach affecting its website, potentially compromising names, credit card numbers, and addresses of approximately 12% of its users. The intrusion occurred over a three-month period, impacting individuals who registered through the website. While the company found no evidence of unauthorized transactions tied to the incident, one customer reported fraudulent card activity. Affected users were notified nearly two months after the investigation concluded, and the organization offered complimentary identity theft protection for one year. The breach was unrelated to a separate ransomware attack targeting the local transit agency.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
BCycle, a Fort Worth-based bicycle sharing service operating nationwide, discovered malware on its website in April 2020. The company immediately launched an investigation, determining the malware operated between January 24 and April 26, 2020. This breach potentially exposed personal information of users who registered through the website during this period, including names, credit card numbers, and physical addresses. Approximately 12% of BCycle's total user base was affected by the incident. The company completed identification of impacted individuals by June 2, 2020, and mailed notification letters to affected customers on June 26, 2020. While BCycle stated it had not received reports of unauthorized transactions stemming from the breach, at least one user reported their credit card being used for fraudulent purchases after the exposure period.
Jennifer Grissom, executive director of Fort Worth Bike Sharing, clarified that only website-registered users were affected, excluding those who signed up through alternative methods. BCycle offered affected customers one year of complimentary identity theft protection coverage as remediation. The breach occurred separately from a ransomware attack targeting Trinity Metro, Fort Worth's public transit agency, with Grissom confirming no connection between the two incidents. No technical details about the malware's functionality or intrusion methods were disclosed in the notification. The company maintained operations throughout the investigation and notification process without reporting additional service disruptions related to the security incident.