Police in Lithuania are investigating after the personal data of 110,000 people was leaked to an online hacker website.
The car-sharing service, CityBee, confirmed the records and information of thousands of its customers had been compromised in the incident.
On Monday night, cybercriminals had shared users’ names, personal identification numbers, telephone numbers, e-mail and home addresses, driver’s licence numbers, and encrypted passwords, the company said.
The data had been posted for sale on an online forum registered abroad, CityBee added. It said customers’ financial information had not been affected.
“The data, which was uploaded to one of the cyber hackers favourite forums, is three years old,” CityBee said in a statement.
“Disclosure of stolen customer data will not affect the security of CityBee customer financial services, as the company does not collect sensitive information related to customer payment methods.
“In order to protect the interests of clients and clarify the crime, we are cooperating with the Lithuanian police.”
CityBee has urged customers to immediately change their email addresses and passwords they used on the service and others if they had used similar login details.
“The Lithuanian Criminal Police Bureau is conducting a pre-trial investigation into the data stolen from CityBee’s customers in close cooperation with the company itself,” police said in a statement.
“We ask people not to be tempted by offers to buy hijacked data but to report such offers to the police.
“Please also do not share or distribute stolen data or links where it can be obtained.”
The theft of non-public electronic data in Lithuania carries a maximum sentence of four years in prison. This can rise to six years imprisonment if the data is of “strategic importance to national security” or Lithuania’s economy.
The country’s data protection watchdog has also launched its own investigation into the leak and CityBee’s data protection policies.
“Currently, all the institutions involved in the incident are cooperating to prevent possible further illegal processing of personal data as much as possible,” said Raimondas Andrijauskas, Director of State Data Protection Inspectorate (VDAI).
The authority has reiterated that any organisation that has suffered a data security breach must immediately take all measures to remedy the situation.
Lithuania’s Ministry of Justice was set to meet on Wednesday with the authority’s representatives to further discuss the hacking.
“There is no doubt that private personal data is an invaluable asset and its theft is highly sensitive,” said Minister Evelina Dobrovolska.
“The VDAI has to react in a lightning-fast manner in this situation, therefore we are in direct contact and we are eagerly awaiting the result of the investigation so that, if necessary, we can also take legal data protection regulation.”
“Gray areas cannot remain here,” Dobrovolska added.
CityBee risks a fine of up to €20 million or around 4% of its turnover if found in breach of data privacy rules.