Data of 14m Careem customers stolen
However, location services data could present possible security issues, says an expert
Cybercriminals stole data of 14 million Careem customers, including their names, email addresses, phone numbers and trip data in the Middle East, North Africa and South Asia, on January 14, according to a blog post yesterday.
The Dubai-based ridesharing platform operates in 80 cities in 13 countries, including Pakistan.
“On January 14, we became aware that online criminals gained access to our computer systems which hold customer and captain account data. Customers and captains who have signed up with us since that date are not affected,” Careem’s blog said.
Contacted by Gulf News, the company said that none of the accounts had been compromised, but did not elaborate on what that meant.
Careem in a blog post yesterday said so far it had not seen any evidence the data stolen from its 14 million users in January had been misused. Customers’ credit card information is kept on an external third-party PCP-compliant server. A PCP server uses secure protocols and is employed by international banks around the globe to protect financial information, it stated.
“While we have seen no evidence of fraud or misuse related to this incident, it is our responsibility to be open and honest with you, and to reaffirm our commitment to protecting your privacy and data,” it said.
Nicolai Solling, chief technology officer at security solutions provider Help AG, told Gulf News that the delay in Careem’s reporting of the incident is unfortunately not uncommon.
He said the time it usually takes to identify a breach is between 120 and 180 days, and the vast majority of breaches are not discovered by the affected company but by a thirdparty organisation.
“This highlights how important it is to secure modern day businesses — especially as the use of digital technology becomes a mandatory competitive parameter. It should also be noted Careem is not the only ride-hailing service that has had problems protecting their customers’ and drivers’ data,” he said. He added that since payment details had not been lost, people did not need to have their cards replaced.
“What would be interesting is the data that is lost around trip information and account details,” he said. First of all, he said that the account information can be used in phishing attacks where an attacker can use the email address, name and maybe information around rides to trick a user to click a malicious link or give away sensitive information.
Geo-data fear
“It would be interesting to understand from Careem if the geo-data related to a ride has been leaked as well,” he said.
However, he said that it is really the ride information which may be more tricky from a security perspective.
“Location-based ride services such as Careem are super convenient, but in order for them to be convenient, you also have to give away your location. That location can be your home, office or favourite restaurant — all data that says something about you.
“You may be comfortable having this information with a ride service, but in the hands of a third party hacker maybe it is not the most pleasant thing to think about,” he said.
Kalle Bjorn, director of systems engineering at Fortinet Middle East, said the security features of the apps on the apps stores depend on the developer.
“One of the things is to get the apps as fast as possible onto the store which may compromise on the safety and security features. It is difficult to say that all the apps are safe or not. It depends case by case,” he said.
He added that the breaches or data loss could well be the back-end application on the cloud server that communicates with the app. Not only does the app need to have proper security features, but so too do the back-end applications.
Careem has raised $571.7 million (Dh2.10 billion) in funding to date, according to data from website Crunchbase. It received seed money of $1.7 million in a round led by STC Ventures in 2013.
Location-based ride services such as Careem are super convenient, but in order for them to be convenient, you also have to give away your location. That location can be your home, office or favourite restaurant — all data that says something about you.” Nicolai Solling | Chief technology officer at Help AG