Justice Minister on CityBee Scandal: Risk of Using Data Is There, But Low

According to the company, criminals posted consumer data from three years ago on one of the hackers’ favorite forums. It is reported that the data of those customers who registered in the CityBee system as of February 22, 2018 were made available to a limited number of people.

In addition to the first and last names of some CityBee customers, phone numbers, email addresses, residential addresses, driver’s license numbers, and encrypted passwords were stolen.

The Company ensures that the disclosure of stolen CityBee customer data will not affect the security of customers ‘financial services in any way, as the Company does not collect confidential information related to customers’ payment methods.

On Tuesday, Justice Minister Evelina Dobrovolska met with representatives of the police, VDAI and the company that provides the CityBee service to discuss 110,000. theft of consumer data.

After the meeting at the press conference, the minister said she did not see the risk and the need to change the bank card or driver’s license.

“We’re just talking about the certificate number and expiration date. At the meeting, we assessed the risks that we see today as low enough when it comes to using a driver’s license or bank card details. How it was stored a small sample and according to what is known, we do not see a high risk of recommending a change of bank card or driver’s license for everyone ”, he noted.

According to her, a new data leak matrix should not occur.

When asked what the threat is that driving license data can be used, the minister says the risk is low: “Citybee assured that no photos, copies of driver’s licenses are stored, only data – validity date and number, respectively, all possibilities of obtaining a loan require a living person or a driver’s license, copies of that license.

Nowadays, taking out a loan of this type would require a lot of effort and work, committing a crime, that is, both falsifying a driver’s license, finding the photo of that person, and finding a bank account, the risk is basically very low. To this day it exists, but because there was no copy of the driver’s license and it was not leaked. “

E. Dobrovolska recommends following your data, if necessary, changing the driver’s license, but there is no indication that it is necessary for everyone to change it.

“We have also drawn the attention of bank representatives to take a closer look at suspicious transactions,” he added.

According to Police Commissioner General Renatas Požėla, CityBee’s Prime Leasing company has been identified as a victim in a pre-trial investigation launched by law enforcement.

It cannot say at this time how the database was accessed, whether it was a hack or another method, which is said to be the subject of a pre-trial investigation. Fit and damage.

Raimondas Andrijauskas, Director of the State Data Protection Inspectorate, points out that both the Bank of Lithuania and the Cyber ​​Security Center have been informed about the incident.

“According to the initial information we discussed today, the Citybee database did not contain such information (driver’s licenses and bank card details – Delphi). (…) There was no such information, therefore we must calm down and not rinse ourselves, ”says R. Andrijauskas.

According to him, it is still difficult to say whether the company is to blame for the situation; it would be necessary to establish that the company did not comply with the requirements and kept the data insecure. He noted that sometimes the more secure system can be overcome.

According to the Data Inspection and the police, the authorities have the data of the affected users, so it is not necessary to request and present statements in addition, both authorities received more than 20 of them each.

As Kristijonas Kaikaris, the director of the company, said at a press conference on Tuesday, the company is currently clarifying the circumstances of how customer data fell into the hands of criminals.

“It just came to our knowledge then. It affects me personally because I am a CityBee customer, my friends, family, so I understand the feeling of insecurity that some customers experience. Currently, the priority is our customers, so we have established a line direct where victims can contact and find the information they need.

“We work closely with the police, explaining the circumstances, the place, the time, how to reduce the possible consequences that may be associated with the theft of personal data,” he said.

Victims can contact VDAI

Victims related to this data security incident can contact SDPI via email [email protected], indicating the keyword “CityBee” in the field of investigation. Since SDPI will initiate an investigation on its own initiative into data breaches at the company, there is no need for victims to file separate complaints.

VDAI applicants should indicate that their data may have been leaked, everything else will be identified by VDAI during the investigation and will be personally contacted by potential victims. The decision will also be made public.

The SDPI points out that, according to the General Data Protection Regulation, an organization that has suffered a data security breach must immediately take all measures to remedy the situation. Among other things, no later than 72 hours. notify the SDPI and inform the people involved in this incident whose data may have been affected.

What to do in case of data theft

In response to this incident, VDAI issued advice on what a user should do in the event of a data security incident.

Depending on the service, it is important to immediately change the passwords for all virtual services: social networks, online stores, online communications and the like, as well as the passwords for related services.

The old password should no longer be used and the new password should be changed every six months. Users should not use easy-to-guess passwords, such as qwerty or 123456, and it is important to create different passwords for each service.

If more services are observed to have been attacked, care must be taken to regain control of them. Typically, you need to answer a few questions about your account. Once they have regained control, it is important to check that there are no back doors through which intruders can return: if mail forwarding to other mailboxes is configured, spam filters are disabled, and security responses to other services have changed.

Users should also keep an eye on what is happening with their accounts to see if new shipping addresses have been added to online stores or if new accounts have been connected.

It is also recommended to revoke all open login permissions granted by creating a separate login with a username and password.