KARACHI: Ride-hailing company Careem has revealed that it suffered a major data leak following a cyber incident involving unauthorised access of more than 14 million customers.

As per its statement released on Monday, the company became aware on Jan 14 this year that online criminals had gained access to their computer systems which held customer and captain account data.

Information including customers’ name, email addresses, phone numbers and trip data (pick-up and drop-off points) was stolen by the hackers, Careem said, admitting to the cyber breach.

However, the company maintained that there was no “evidence” that passwords or credit card information — held on external third-party servers — had been compromised.

Data — including customer identity, email ID, phone number and trip details — compromised

According to Gemma McKeown, a representative from Careem’s global press team, at the time of the attack on Jan 14, Careem had 14m customers and 558,000 captains on its platform across 13 countries, including Pakistan. Those who had signed up since then were not affected by the breach, she claimed in an email to Dawn.

The company did not specify whether the breach had affected users and captains worldwide, or in a specific country. It also did not comment on the origin or nature of the cyber security breach. “We do not know the identity of the hacker and we’re continuing to work with law enforcement authorities to investigate this matter,” she said.

Commenting on why the company had taken over two months to inform its users about the data leak, she stated: “Cybercrime investigations are immensely complicated and take time. We wanted to make sure we had the most accurate information before notifying people.

“As soon as we detected the breach, our internal security team engaged leading cyber security experts to investigate the issue and strengthen our security systems to protect us against further attack.

“Throughout the incident, our priority has been to protect the data and privacy of our customers and captains. Since discovering the issue, we have worked to understand what happened, who was affected, and what we needed to do to strengthen our network defences.”

On its part, the company recommended its users to safeguard their personal information by implementing “good password management”. “We apologise for what has happened but rest assured, Careem has learned from this experience and will come out of it a stronger and more resilient organisation,” the ride-hailing company regretted.

Services remained in operation in over 90 cities as Careem worked with cyber security experts and law enforcement agencies on the matter, the company added.

Potential threats

The director of Bolo Bhi, an advocacy forum for digital rights, Usama Khilji, while speaking to Dawn, pointed out the potential risks of the data breach. “It is alarming and, at the same time, a reminder for users to realise the vulnerability of tech companies referring to the Facebook controversy. In Careem’s case, not only is personal information at risk but also financial,” he said.

Calling out the growing need for data protection laws, Mr Khilji said the Prevention of Electronic Crimes Act, 2016, provided for telecom and internet service providers to retain data for at least 90 days, but it did not include any provisions that protected citizen’s data or privacy.

“Given what has happened with Careem, unfortunately due to a lack of data protection laws, the users have no recourse to pursue the matter legally. In such circumstances, the [hacked] data can be manipulated to track activists, journalists and politically-vulnerable communities,” he added.

Referring to the recent incidents of ATM scamming across Pakistan, with customers losing thousands of rupees as well as leading to major losses to banks, he said the Careem data breach could lead to worse consequences as the data was extensive and vast in nature.

Published in Dawn, April 24th, 2018

Opinion

Window of opportunity
05 Mar 2021

Window of opportunity

How do we ensure growth revival built on a sustainable, efficient and stable foundation?
March for freedom
Updated 05 Mar 2021

March for freedom

Those demanding ‘azadi’ are moving society forward.
More of the same
Updated 04 Mar 2021

More of the same

Civil society groups and political parties tend to treat their paid employees as casual labour.

Editorial

Ravi project
Updated 05 Mar 2021

Ravi project

THE assault by an enraged group of farmers on a provincial revenue team assigned to acquire land for the...
05 Mar 2021

Climate change

PAKISTAN received much less rainfall in January 2021 as compared to previous years, making it the 17th driest month...
05 Mar 2021

Antimicrobial resistance

WITH the focus on Covid-19, many health issues, though otherwise recognised as serious medical problems, tend to be...
04 Mar 2021

Senate upset

THE Senate election results have delivered a stunning blow to the PTI. While the ruling party has seen an increase ...
ME ‘security pact’
Updated 04 Mar 2021

ME ‘security pact’

THERE has been an overflowing of bonhomie between the Gulf Arabs and Israel over the past few months, much of it...
04 Mar 2021

Students’ protest

A GROUP of university students in Karachi and Hyderabad caught the media’s attention when they announced a...