There are no laws to protect your data in Pakistan. So how can we minimise breaches like the Careem hack?
The recent notification from Careem to its customers regarding the hacking of its database of users and Captains raises various concerns about how much we can trust technology companies with our critical personal information, and what the next steps should be.
Careem is a ride-hailing mobile phone app that makes moving around urban areas convenient in cars owned and often driven by contractors or individuals that share the profit with the company. The company is based in Dubai, UAE and was founded by two former McKinsey consultants, one of whom is Pakistani.
In order to register as a Captain or a customer of Careem, one has to share details such as full name, telephone number, email address, and by virtue of using the app, addresses of all the locations one frequents regularly. The application also supports adding a credit card as an alternative to cash payments.
On April 23, 2018, Careem in an "Important security announcement" via email and its website informed customers that "on January 14th of this year, we became aware that online criminals gained access to our computer systems which hold customer and Captain account data".
The hack affected user data of over 14 million users and 558,880 Captains in the 13 countries and 90 cities that Careem operates in.
According to Careem’s announcement, the data acquired by hackers includes names, email addresses, phone numbers and trip data of customers.
They have stated that credit card information on the app is secured by "an external third-party PCI-compliant server" that "uses highly secure protocols".
Perhaps similar protocols should be implemented for the rest of the data at Careem as well.
Careem acknowledged in its announcement that no company is completely immune from cyber attacks, and that is true as far as the evolving nature of technology that enables these attacks is concerned.
It is, however, concerning that Careem announced this data hack more than three months after it had been intercepted, apparently because the company "wanted to make sure they are providing the most accurate information before notifying people."
But the company has provided very little specific information other than the type of data that was breached and when it happened.
Perhaps Careem had learnt from the backlash its rival Uber faced last year after it was exposed for hiding a breach of data of over 57 million users and drivers and paying hackers $100,000 to delete data and to keep silent about it. The Chief Security Officer of the company was also fired.
Careem only asked customers to reset passwords, monitor their credit card activity, and not click on links in emails they do not recognise three months later.
This is key advice that the company should have given their customers as soon as they discovered the hack.
The risk the company put its customers through during this time merits scrutiny and calls for corporate accountability.
Why is data important?
Data is now being tipped as “the new gold”, as companies pay millions to acquire it from those that have access to it.
It is data that forms the backbone of the most profitable companies in the world such as Facebook and Google which rely on analysis of users' personal data that companies then use to target advertisements.
The hackers who attacked the Careem data server are likely to have the objective of selling this data to other companies interested in data.
The company has so far not identified the hackers, or informed users if the hacked data has been deleted, so it can be assumed that the data of 14 million Careem users is currently in the data black market.
Data security is personal security
The hacked data could be misused in several ways, and further threatens the safety of Careem users, because it includes critical information on the movement patterns of its users, including home and work addresses and other regularly visited locations.
Access to such information can expose users to risks of criminal threats such as burglary, mugging and kidnapping, as well as potentially endanger activists, journalists and political workers.
Further, it has the potential to make women in particular more vulnerable.
Need for laws
Careem has promised to continue to strengthen its information systems, but customers and governments both need to hold the company accountable to higher standards of information security as any breach in information systems impacts us.
Whereas the data hack took place on Careem servers based at its headquarters in Dubai, the Prevention of Electronic Crimes Act 2016 criminalises interference with information systems and data under sections 3 to 8 in Pakistan.
However, there are currently no laws in Pakistan that protect individuals' data, despite Article 14 of the Constitution guaranteeing that "dignity of man, and subject to law, the privacy of home, shall be inviolable".
There is a need for legislators and courts to consider the right to privacy in the realm of the internet where vast amounts of data on each citizen is stored.
A recommendation for the federal government to make regulations to provide for “privacy and protection of data of subscribers” exists in Article 43 (2)(e) of the Electronic Transactions Ordinance 2002, but little has been done in this regard.
The current IT ministry has talked about a prospective data protection bill, but none has been introduced in parliament, and Pakistan does not have a privacy commission so far.
On an individual level, it is important for users to be aware of the associated risks of using technologies that make our life more convenient, and the ways in which our personal data can be misused for profits and ulterior motives.
Hence, steps must be taken to secure our information as much as possible by setting strong passwords, ensuring that a different password is used for each account, two-step verification enabled for all accounts that offer the option, screen locks turned on for phones, and minimal information shared on social media.
Additionally, if one uses the Careem app regularly, it would be helpful for safety reasons to change frequent routes from time to time so no single easily traceable pattern is identifiable, and changing drop off and pick up locations to walkable distances rather than the exact location of residence or work.
On a corporate level, Careem should, as promised, implement stricter cyber security protocols, similar to those used by financial companies, in order to value and protect personal information of customers and Captains.
Companies should inform customers of data breaches in time in order to protect them rather than waiting for investigations as that can tarnish the credibility of the company.
On an official level, the government must ensure that data protection and privacy laws are put in place to provide legal relief to citizens whose personal information is misused or breached not only by technology companies, but also mobile phone service providers, hospitals, schools, banks, public relations companies and so on.
Further, the government should set standards and protocols of cyber security for all corporations and organisations without which they should not be allowed to deal with personal information of citizens.
A privacy commission should be set up that citizens can access easily in the event of breach of data.
Whereas customers will continue to use services that make life convenient, they should at the very least be making an informed decision when divulging personal information to companies, and at the same time, both citizens and the government should hold these companies accountable to higher standards of safety when dealing with private information.
Are you an information security expert working in Pakistan? Share your insights with us at firstname.lastname@example.org