40

BR discovers data leak Obike exposed user data

Munich, Berlin, Frankfurt, Hanover - in a growing number of German cities Obike offers bikes for rent. BR Data and BR Recherche have discovered a leak in the data maintained by the provider of the yellow bikes. Until recently, personal and location data of users around the world were accessible online without any protection.

Von: Robert Schöffel, Maximilian Zierer and Steffen Kühne

Stand: 30.11.2017 | Archiv

Datenleck bei Obike | Bild: BR

Names from Germany, mobile phone numbers from Switzerland, e-mail addresses from Great Britain, profile pictures from Malaysia. Journalists from BR Data and BR Recherche were able to access user data of the bike rental company Obike on the internet. The data was neither encrypted nor otherwise protected, even exact location data of rides was exposed for at least two weeks. Obike users all over the world were affected by this leak.

BR investigations show that the social media functions of the smartphone app were particularly problematic. The Obike app gives users the opportunity to share invitation codes and finished rides on social networks. By doing this, users gave direct access to their personal data, without noticing it. Criminals could have used this safety gap to copy customer data - even of users who have not shared anything. After the BR had confronted the company with the data leak, the security gaps were closed. Obike informs in a written statement:

"Obike does everything to quickly fix any safety gaps and protect user data."

Obike

Movemet data map

The BR sent a test person on a ride with an Obike. Afterwards, the location data was online accessible without any protection.

On the black market, user data like Obike's is worth a lot of money. Last week, a data breach at the US transport service provider Uber hit the headlines. The company paid hackers $100,000 to destroy the stolen email addresses and phone numbers of customers.

Violation of Data Protection Act

User data like these were exposed

Though the data leak at Obike has been fixed in the meantime, the careless handling of user data could still have consequences. The Bavarian State Office for Data Protection Supervision (Landesamt für Datenschutzaufsicht) confirmed the BR that the data leak is a violation of the Data Protection Act: "In our opinion, the company Obike commits a data protection violation because the data security requirements are not met," said President Thomas Kranig. As Obike has its German headquarter in Berlin, the BR investigations have alerted the Berlin data protection commissioners:

"In preparation for a control procedure, the Berlin commissioner for data protection and freedom of information is currently examining her responsibility for this issue."

Berlin data protection commissioner (Berliner Datenschutzbeauftragte)

There is also another problem with Obike: In the opinion of data protection officer Thomas Kranig, the provider of rental bicycles violates transparency rules. When downloading the app, Obike does not make clear what kind of user data it collects and what happens with this data: "There is information that they create movement profiles and that they provide the data to affiliated companies. But the user does not know for what purpose and which companies exactly receive these movement profiles," says Kranig.

Trademark rights in the tax haven

It's hard to find out which companies are associated with Obike. Obike is backed by an international network of companies: OBG Germany GmbH, oBike Asia Pte Limited in Singapore or Obike Inc. in the tax haven British Virgin Islands. Obike also shares business addresses or employees with Avazu and DotC United - companies that earn money with online and app advertising. Obike denies sharing its user data with these companies and, upon request, states in written form: "Today, Obike's business model in Germany does not provide third-party advertising in the app." The European Union trade mark rights of the brand Obike are held by DotC United Inc., which is also registered in the British Virgin Islands.

Tax expert Gerhard Wipijewski from the Bavarian Finance Union (Bayerische Finanzgewerkschaft) has experience with similar company constructs:

"Without knowing the specific case, it can be assumed that the price for the trademark usage is very high. Just a small part of the here generated profit remains in Germany. Most of the potential earnings flow to foreign countries, land on the British Virgin Islands and will be almost tax-free."

Gerhard Wipijewski, Bavarian Finance Union (Bayerische Finanzgewerkschaft)

Obike informed the BR that Dotc United had owned the trademark rights because Obike had been still in the start-up phase when the company had launched in Europe in June this year. All revenue of Obike in Germany had been taxed in Germany.

Meanwhile, Obike is expanding further. This year, the yellow bikes will also be installed in cities such as Prague, Athens, Budapest and Lisbon. In Germany, Obike now also wants to offer its service in smaller municipalities. Landshut's mayor Alexander Putz for example already posed with a bike of the company on Facebook and called the concept of Obike exciting. However, he did not know the BR investigations at that point. Now he is reconsidering that.

Annotation

  • User data was exposed for at least two weeks. We also received information from IT security experts in Taiwan that the data leak had already existed in June 2017 and that they had informed Obike several times. This case is documented here.
  • The second security vulnerability was closed on Wednesday, November 29, 2017, after we had informed Obike again.
  • Not only users in Germany were affected. We were able to see names, phone numbers, profile pictures and movement profiles of users from numerous countries, such as Great Britain, Singapore, Malaysia or Switzerland.

40