KARACHI: Ride-hailing company Careem has revealed that it suffered a major data leak following a cyber incident involving unauthorised access of more than 14 million customers.

As per its statement released on Monday, the company became aware on Jan 14 this year that online criminals had gained access to their computer systems which held customer and captain account data.

Information including customers’ name, email addresses, phone numbers and trip data (pick-up and drop-off points) was stolen by the hackers, Careem said, admitting to the cyber breach.

However, the company maintained that there was no “evidence” that passwords or credit card information — held on external third-party servers — had been compromised.

Data — including customer identity, email ID, phone number and trip details — compromised

According to Gemma McKeown, a representative from Careem’s global press team, at the time of the attack on Jan 14, Careem had 14m customers and 558,000 captains on its platform across 13 countries, including Pakistan. Those who had signed up since then were not affected by the breach, she claimed in an email to Dawn.

The company did not specify whether the breach had affected users and captains worldwide, or in a specific country. It also did not comment on the origin or nature of the cyber security breach. “We do not know the identity of the hacker and we’re continuing to work with law enforcement authorities to investigate this matter,” she said.

Commenting on why the company had taken over two months to inform its users about the data leak, she stated: “Cybercrime investigations are immensely complicated and take time. We wanted to make sure we had the most accurate information before notifying people.

“As soon as we detected the breach, our internal security team engaged leading cyber security experts to investigate the issue and strengthen our security systems to protect us against further attack.

“Throughout the incident, our priority has been to protect the data and privacy of our customers and captains. Since discovering the issue, we have worked to understand what happened, who was affected, and what we needed to do to strengthen our network defences.”

On its part, the company recommended its users to safeguard their personal information by implementing “good password management”. “We apologise for what has happened but rest assured, Careem has learned from this experience and will come out of it a stronger and more resilient organisation,” the ride-hailing company regretted.

Services remained in operation in over 90 cities as Careem worked with cyber security experts and law enforcement agencies on the matter, the company added.

Potential threats

The director of Bolo Bhi, an advocacy forum for digital rights, Usama Khilji, while speaking to Dawn, pointed out the potential risks of the data breach. “It is alarming and, at the same time, a reminder for users to realise the vulnerability of tech companies referring to the Facebook controversy. In Careem’s case, not only is personal information at risk but also financial,” he said.

Calling out the growing need for data protection laws, Mr Khilji said the Prevention of Electronic Crimes Act, 2016, provided for telecom and internet service providers to retain data for at least 90 days, but it did not include any provisions that protected citizen’s data or privacy.

“Given what has happened with Careem, unfortunately due to a lack of data protection laws, the users have no recourse to pursue the matter legally. In such circumstances, the [hacked] data can be manipulated to track activists, journalists and politically-vulnerable communities,” he added.

Referring to the recent incidents of ATM scamming across Pakistan, with customers losing thousands of rupees as well as leading to major losses to banks, he said the Careem data breach could lead to worse consequences as the data was extensive and vast in nature.

Published in Dawn, April 24th, 2018