Careem picks cybersecurity firm to investigate breach
Ride-hailing app appoints VUL9 to respond to hack that exposed the details of 14m users last week
Ride-hailing app Careem has appointed local cybersecurity firm VUL9, following a hack announced last week that exposed the personal details of 14 million customers.
The security company, based in Umm Al Quwain, confirmed to Gulf News that it was assisting Careem in its response to “the incident and the breach.”
Mohammad Amine Belarbi, chief executive and co-founder of VUL9, declined to comment on the circumstances surrounding the breach, citing client confidentiality. Details surrounding VUL9 are scant, but the company describes itself as a boutique firm specialising in infrastructure defence, cyber warfare, and data protection.
“Our highly skilled team of experts and specialists have located breaches and remediated to vulnerabilities on major Fortune 500 Technology companies including Google, Facebook, Yahoo, Twitter, Cisco and Adobe,” the company claims on its website.
Moroccan national Belarbi, who founded the security firm with countryman Mohammad Al Khdime, also lists Careem and Aramex, both based in Dubai, among the company’s clients on his LinkedIn profile.
Unusually, VUL9 claims in its company brochure that it has “offensive… cyberwarfare capabilities”.
Companies rarely admit when they are involved in offensive hacking, due to the uncertainty surrounding cyberwarfare laws, experts say.
In a statement to Gulf News regarding the appointment of VUL9, a Careem spokesperson confirmed that the company had engaged a “leading cybersecurity firm to assist our internal IT experts to forensically investigate the unauthorised access and to assist us with strengthening our security systems.”
Enhanced monitoring
On the steps taken to strengthen Careem’s security since the breach was discovered in January, the spokesperson added that the company has “introduced enhanced monitoring capabilities across our infrastructure that allow us to detect and respond quickly to security issues, as well as upgrading access controls for our users using market-leading, multi-factor authentication controls.”
“We have also redesigned our cloud architecture to ensure all our endpoints are embedded behind multiple layers of security,” they added.
Amazon Web Services (AWS), who are responsible for storing Careem’s data on servers in Ireland, denied the suggestion that their servers were breached, telling Gulf News in a statement that “all AWS security features and networks did, and continue to, operate as designed.”
Telr, the company that processes payments for Careem, also denied that the hack had taken place on their end.
Last week, Gulf News reported that the start-up, which last year closed a $150 million (Dh550.95 million) round of venture capital funding, had been informed of vulnerabilities on their web application as early as November 2016.
Details surrounding VUL9 are scant, but it describes itself as specialising in infrastructure defence, cyber warfare, and data protection.