KARACHI: Ride-hailing company Careem has revealed that it suffered a major data leak following a cyber incident involving unauthorised access of more than 14 million customers.

As per its statement released on Monday, the company became aware on Jan 14 this year that online criminals had gained access to their computer systems which held customer and captain account data.

Information including customers’ name, email addresses, phone numbers and trip data (pick-up and drop-off points) was stolen by the hackers, Careem said, admitting to the cyber breach.

However, the company maintained that there was no “evidence” that passwords or credit card information — held on external third-party servers — had been compromised.

Data — including customer identity, email ID, phone number and trip details — compromised

According to Gemma McKeown, a representative from Careem’s global press team, at the time of the attack on Jan 14, Careem had 14m customers and 558,000 captains on its platform across 13 countries, including Pakistan. Those who had signed up since then were not affected by the breach, she claimed in an email to Dawn.

The company did not specify whether the breach had affected users and captains worldwide, or in a specific country. It also did not comment on the origin or nature of the cyber security breach. “We do not know the identity of the hacker and we’re continuing to work with law enforcement authorities to investigate this matter,” she said.

Commenting on why the company had taken over two months to inform its users about the data leak, she stated: “Cybercrime investigations are immensely complicated and take time. We wanted to make sure we had the most accurate information before notifying people.

“As soon as we detected the breach, our internal security team engaged leading cyber security experts to investigate the issue and strengthen our security systems to protect us against further attack.

“Throughout the incident, our priority has been to protect the data and privacy of our customers and captains. Since discovering the issue, we have worked to understand what happened, who was affected, and what we needed to do to strengthen our network defences.”

On its part, the company recommended its users to safeguard their personal information by implementing “good password management”. “We apologise for what has happened but rest assured, Careem has learned from this experience and will come out of it a stronger and more resilient organisation,” the ride-hailing company regretted.

Services remained in operation in over 90 cities as Careem worked with cyber security experts and law enforcement agencies on the matter, the company added.

Potential threats

The director of Bolo Bhi, an advocacy forum for digital rights, Usama Khilji, while speaking to Dawn, pointed out the potential risks of the data breach. “It is alarming and, at the same time, a reminder for users to realise the vulnerability of tech companies referring to the Facebook controversy. In Careem’s case, not only is personal information at risk but also financial,” he said.

Calling out the growing need for data protection laws, Mr Khilji said the Prevention of Electronic Crimes Act, 2016, provided for telecom and internet service providers to retain data for at least 90 days, but it did not include any provisions that protected citizen’s data or privacy.

“Given what has happened with Careem, unfortunately due to a lack of data protection laws, the users have no recourse to pursue the matter legally. In such circumstances, the [hacked] data can be manipulated to track activists, journalists and politically-vulnerable communities,” he added.

Referring to the recent incidents of ATM scamming across Pakistan, with customers losing thousands of rupees as well as leading to major losses to banks, he said the Careem data breach could lead to worse consequences as the data was extensive and vast in nature.

Published in Dawn, April 24th, 2018

Opinion

Climate & youth

Climate & youth

Disillusionment and anxiety are on the rise among youth as they confront the diminishing prospects of a better tomorrow.
Our exclusivity syndrome
Updated 17 Oct 2021

Our exclusivity syndrome

Pakistan needs at least a minimum level of inclusivity that can keep alive democratic values.
Shafqat Kakakhel
Updated 16 Oct 2021

Shafqat Kakakhel

COP26 has to achieve consensus on several issues.

Editorial

Carnage in Kandahar
Updated 17 Oct 2021

Carnage in Kandahar

Pakistan’s anti-extremism policy is in many ways half-baked and inconsistent.
17 Oct 2021

Sanctity of contracts

PAKISTAN is facing yet another international dispute before the International Centre for Settlement of Investment...
17 Oct 2021

New sports policy

THIS week, the Pakistan Football Federation Normalisation Committee chief Haroon Malik was in Zurich to hold ...
Diminishing freedom
Updated 16 Oct 2021

Diminishing freedom

DESPITE the serious reservations of digital rights activists and tech companies, the federal government has...
16 Oct 2021

Dirty politics

IN her outburst against Prime Minister Imran Khan this week, PML-N leader Maryam Nawaz may not have taken names but...
16 Oct 2021

Decreasing emissions

THE announcement by SAPM on Climate Change Malik Amin Aslam that carbon emissions in the country came down by 9pc...