Citi Bike, a New York bike-rental initiative sponsored by Citigroup, disclosed a breach of payment card data.

The bike rental program exposed sensitive information such as the credit card numbers of more than 1,000 account holders—then waited more than a month to notify at least some of the members, The Wall Street Journal reports.

The breach occurred on April 15 and was caught and fixed near the end of May, according to a July 19 a customer sent to the Journal. The New York Department of Transportation did not explain the delay to the newspaper. Citi Bike, which is operated by NYC Bike Share, a subsidiary of Alta Bicycle Share, did not return a request for comment by deadline.

The breach affected 1,174 customers who paid a $95 annual membership fee to use the shared bikes. An "error log" containing personal data was accessible on April 15, including credit card numbers and security codes, passwords, birth dates and security questions. NYC Bike Share has about 61,000 total customers.

NYC Bike Share told the Journal there was no evidence that personal information was misused, and offered to provide identity and credit monitoring for fee.

In New York, the bike sharing initiative is operated by Alta and sponsored by Citigroup, using MasterCard as their preferred card payment network. Alta operates similar bike-sharing services in London, Washington, Boston, Minneapolis, Melbourne and Montreal—with launches planned for San Francisco and Chicago. 

Subscribe Now

Authoritative analysis and perspective for every segment of the payments industry

14-Day Free Trial

Authoritative analysis and perspective for every segment of the industry