Bycyklen, Copenhagen’s public bike-sharing system, announced on Saturday that their entire database was erased in a hack by unknown hackers on the night between Friday and Saturday, causing their systems to be out of operation on Saturday.
“The manner in which the attack was performed is really primitive, but demonstrates that it was done by a person with a high level of knowledge of the IT structure of our system, and at the same time, we can see that the person(s) have entered using a password,” Bycyklen wrote in a Facebook post on Sunday, 6 May.
All of the organisation’s 1,860 bikes were affected by the hack, which had to be manually restored by Bycyklen staff, out of which only 200 were able to be restored by the organisation’s staff on Sunday.
The system works by using Android tablets attached to the bikes that connect to Bycyklen’s database to record the details of bikes spread across the city. Due to the erasure of the database, users were unable to unlock the bikes, and the staff had to manually reboot the Android tablets after tracking down the bikes.
The organisation launched a “treasure hunt” to track down the bicycles for the same, offering users an hour of free riding time as a reward for finding one.
In an update posted on its website on Monday, Bycyklen assured users that after analysing their servers, there have been “no signs that we have lost data.”
“The attack has been aimed directly at our business, not our users,” the company wrote. “We do not store payment card information. The only information we keep is our users' email addresses, phone numbers and their PIN codes for the Bycyklen bikes. In our databases we use "salted password hashing", that is, all PINs are encrypted and cannot be read or recreated, neither by Bycyklen nor any other player."
Currently active bicycles can be found using the organisation’s “Find a bike” page.