Notification of the State Data Protection Inspectorate: Incidents against CityBee,


2021 02 26


Both organisations processing personal data and supervisory and law enforcement authorities deal with issues concerning processing of personal data. Last week concerns as to even several such cases arose in the society.

Confusion whether the leaked personal data may have adverse financial consequences or even an identity theft in the long run arose. According to the head of the State Data Protection Inspectorate Raimondas Andrijauskas "Each occurrence of incidents related to personal data is a message to each organisation which is even not concerned. An incident may occur in any place and at any time. It is important to recall that the General Data Protection Regulation is a legal act which must be observed. The consequences of lack of appropriate data security measures may be particularly serious not only to the effected people but also to the ecosystem of the surrounding businesses".


Incident related to personal data of CityBee customers


After on 15 February 2021, information that the database of the customers of the company CityBee (hereinafter referred to as the “Company”) containing private data of persons was possibly stolen or leaked appeared in the public domain, the personal data protection supervision authority, i.e. the State Data Protection Inspectorate (SDPI) initiated an investigation on its own initiative.

In the light of the fact that the SDPI has already initiated an investigation, separate complaints of persons will not be examined. The taken decision will be published. We will provide information on the taken decision to the persons who have already addressed the SDPI according to the contact details indicated by them. We received more than 2,600 inquiries concerning different issues related to the situation of CityBee from persons till 17 February 2021. In response to this, the SDPI published relevant information to the affected persons:

- Information concerning security measures in cyberspace: (LT)

- Answers to the frequently asked questions: (EN)

Duration of the investigation. Following legal acts, an investigation conducted by a supervisory authority may last up to 4 months with the possibility to extend it to 2 months taking into consideration the circumstances and progress of the investigation (for example, complexity of the circumstances, delay to provide responses etc.).

If in the course of the investigation it becomes evident that personal data of the residents of other EU Member States was breach, the time limits may be changed due to coordination of the actions with other involved personal data protection supervision authorities.

Report of CityBee to the supervisory authority. Following the General Data Protection Regulation, an organisation affected by a personal data breach shall immediately take every reasonable step to remedy the situation. Such organisation must, inter alia, report to the SDPI and notify the persons related to the incident not later than within 72 hours. The Company submitted the first report to the SDPI on 17 February 2021 specifying that it also applied to the Police and the National Cyber Security Centre for the incident and the customers were notified of the breach.

The initial report of the Company stated that the number of persons whose personal data security was breach was 111,052.

The following categories of personal data the security of which has been breached were as follows: name, surname, e-mail address, personal identification number, address of the place of residence, telephone number, encrypted (hashed) password. The scope of the data may be further specified during the investigation.

The actions taken by the Company are the caried out internal investigation and planned external audit. In the opinion of the Company, the incident could occur due to human error.

The SDPI analyses the information provided by the Company, an on-the-spot inspection is planned.

In the light of the fact that an investigation is carried out, more detailed information may be published only after completion of the investigation.


Incident related to the database of

On 18 February 2021, information on sale of the database of which possibly contains information on more than 257,000 users appeared in the public domain. For the purposes of supervision, in the short term the SDPI is planning to address the respective persons for provision of information. The SDPI also points out that in case of any possibly criminal acts in relation to personal data, one should address the police.