Cybercriminals stole data from 14 million Careem customers, including their names, email addresses, phone numbers and trip data in the Middle East, North Africa and South Asia, on January 14, according to a blog post on Monday.
The Dubai-based ride-sharing platform operates in 80 cities in 13 countries, including Pakistan.
“On January 14, we became aware that online criminals gained access to our computer systems which hold customer and captain account data. Customers and captains who have signed up with us since that date are not affected,” Careem’s blog said.
When contacted by Gulf News, the company said that none of the accounts had been compromised, but did not elaborate on what that meant. According to the blog post, users’ names, email addresses, phone numbers and trip data was taken, but no credit car data was compromised. A spokesperson also said the company was not ready to provide a statement, saying only that “everything is there on the blog.”
Careem said so far it had not seen any evidence that the data taken had been misused. Customers’ credit card information is kept on an external third-party PCP-compliant server. A PCP server uses secure protocols and is employed by international banks around the globe to protect financial information.
“While we have seen no evidence of fraud or misuse related to this incident, it is our responsibility to be open and honest with you, and to reaffirm our commitment to protecting your privacy and data,” it said.
Nicolai Solling, chief technology officer at security solutions provider Help AG, told Gulf News that the delay in Careem’s reporting of the incident is unfortunately not uncommon.
He said the time it usually takes to identify a breach is between 120 and 180 days, and the vast majority of breaches are not discovered by the affected company but by a third-party organisation.
“This really highlights how important it is to secure modern day businesses — especially as the use of digital technology becomes a mandatory competitive parameter. It should also be noted that Careem is not the only ride-hailing service that has had problems protecting their customers’ and drivers’ data,” he said.
He added that since payment details had not been lost, people did not need to have their cards replaced.
“What would be interesting is the data that is lost around trip information and account details,” he said. First of all, he said that the account information can be used in phishing attacks where an attacker can use the email address, name and maybe information around rides to trick a user to click a malicious link or give away sensitive information.
“It would be interesting to understand from Careem if the geo-data related to a ride has been leaked as well,” he said.
However, he said that it is really the ride information which may be more tricky from a security perspective.
“Location-based ride services such as Careem are super convenient, but in order for them to be convenient, you also have to give away your location. That location can be your home, Office or favourite restaurant — all data that says something about you.
“You may be comfortable having this information with a ride service, but in the hands of a third party hacker maybe it is not the most pleasant thing to think about,” he said.
Kalle Bjorn, director of systems engineering at Fortinet Middle East, said the security features of the apps on the apps stores depend on the developer.
“One of the things is to get the apps as fast as possible onto the store which may compromise on the safety and security features. It is difficult to say that all the apps are safe or not. It depends case by case,” he said.
He added that the breaches or data loss could well be the back-end application on the cloud server that communicates with the app. Not only does the app need to have proper security features, but so too do the back-end applications.
Careem has raised $571.7 million (Dh2.10 billion) in funding to date, according to data from website Crunchbase. It received seed money of $1.7 million in a round led by STC Ventures in 2013. In 2014, it received funding of $10 million in a Series B round led by Al Tayyar Travel Group and STC Ventures.
In November 2015, Careem announced a Series C round investment of $60 million led by The Abraaj Group. In December 2016, the company raised $350 million in a Series D round, based on a $1 billion valuation for the company. Most recently, in July 2017 the company raised a Series E round of $150 million, led by Saudi Arabia’s Kingdom Holding Company.