Thousands of L.A. Based Electric Car Share Users’ Personal Information Exposed in Data Leak

More than 22,000 Blue LA users had their phone numbers, email addresses, encrypted passwords and other personal information exposed in a data leak last year, according to a report by Cybernews.

A spokesperson for the Los Angeles Department of Transportation (LADOT) confirmed the data leak. "LADOT was informed by the contractor of this issue," Colin Sweeney told L.A. TACO.

Blink Mobility, the company that manages the Blue LA electric car share program in partnership with the City of Los Angeles, first learned of the data leak on December 14, according to a notice from Blink Mobility that was reportedly sent to “impacted users" on January 5.

“On 12/14/2023, Blink Mobility received notice that a former vendor’s database had a vulnerability that may have comprised some customer data.” The database was part of a “legacy system” that had been replaced in August of 2023, the company said.

“We believe that the vulnerability may have comprised data that includes some customer’s phone numbers, email addresses, encrypted passwords, account registration dates, device info, device tokens, and details on subscription and rented vehicles.”

Blink Mobility advised customers to update passwords “on any applications that share the same password as the legacy Blink Mobility app,” even though the data that was exposed was encrypted.

Cybernews first reported on the data leak at the end of last year, after their research team discovered the exposed database through metadata that “was then indexed by search engines.” Their investigation revealed that more than 22,000 users were contained in the database.

Cybernews reported the leak to Blink Mobility the same day they discovered it. A couple of days later, the database was gone, Cybernews reported.

It is unclear if hackers accessed the data before it was taken down.

“Personally identifiable information from car renting companies is highly valued among black-hat hackers and is often sold in batches on cybercrime marketplaces on the dark web,” according to Cybernews.

“In the wrong hands, this data can be exploited for financial gain,” Cybernews researchers said. “Threat actors could potentially use the exposed information to track users’ movements, manipulate booking, and engage in fraudulent activities.”

Twenty-two days after first learning of the data leak, on January 5, Blink Mobility sent a “notice of data breach” to impacted users, according to Colin Sweeney, Director of Public Information for LADOT.

Sweeney did not confirm how many users were impacted by the leak when asked. 

Blink Mobility’s notice informed users of what happened, what information was potentially leaked as well as steps that users should take to protect themselves.

In a request for comment, L.A. TACO asked Blink Mobility why they didn’t immediately notify customers.

“Blink Mobility is committed to providing a secure environment for our customers,” the company’s notice reads. “Our new mobile app launched in August 2023, is fully built and maintained by us. Furthermore, we are expanding our cybersecurity auditing process for partners and third-party vendors.”

Blue LA, in partnership with LADOT, began service in 2018 and was briefly managed by a French company before Blink Mobility took over in late 2020. Through an app, Blue LA users can rent electric Chevy Bolts by the minute. Today there are roughly 40 Blue LA charging stations and 100 vehicles available.

If you’ve had issues with Blue LA, please contact our investigative reporter - LexisOlivier@Gmail.com.