A criminal investigation into the leak of 110,000 Lithuianians’ personal data is underway after a hacker posted a list obtained from an unsecured database backup in return for $1,000 in bitcoin. 

The data was harvested in 2018 from the car-sharing service CityBee, whose backup systems were reportedly unsecure.

Within the information stolen included national identity numbers, names, telephone numbers, email addresses, and car registration numbers but no financial information had been compromised, according to CityBee. 

“The Lithuanian Criminal Police Bureau is conducting a pre-trial investigation into the data stolen from CityBee’s customers in close cooperation with the company itself,” Lithuanian police said in a statement

“We are very sorry. I am one of the victims of the leak, because I use the service, and I very well understand that feeling of insecurity,” CityBee CEO Kristijonas Kaikaris said in response.

“We were in such a hurry to inform customers and the public about the theft of the data as soon as possible, that we did not notice all the circumstances of the event, and the circumstances were constantly evolving,” he added. “So, starting this morning, we started to update the information: we provided additional information to customers, partners, responsible institutions and the media.”

Director Raimondas Andrijauskas, Lithuania’s State data protection inspectorate, has said that currently, “all the institutions involved in the incident are cooperating to prevent possible further illegal processing of personal data as much as possible.”

CityBee risks a fine of up to €20 million or around 4% of its turnover if found in breach of data privacy rules.

Register for free to receive the latest privacy, security and data protection news and analysis straight to your inbox