News Source: Express Tribune
By: Muhammad Haroon
LAHORE: The Lahore High Court (LHC) on Friday summoned the provincial government, Pakistan Telecommunications Authority (PTA) and others in a petition filed against the mass data leak of online cab-hailing service Careem.
During the hearing of the case, heard by Justice Abid Aziz Sheikh, the petitioner alleged that the ride-hailing company stole sensitive data of its customers. Credit card information, email addresses and other user specific information was stolen and sold, alleged the petitioner.
The petitioner added that the data leak is a massive breach of users’ privacy and that federal laws dictate that no information is to be shared with anyone without prior permission. The petitioner added further that with the breach of data, the possibility of misuse of credit card information is present which is detrimental for the customers.
The petition also added that data of millions of users has been compromised and could brew further problems for them. At this, the court summoned PTA, Careem and the provincial government on the matter.
Careem, in a public statement issued on April 23, said that it “has identified a cyber incident involving unauthorised access to the system we use to store data”.
“On January 14 of this year, we became aware that online criminals gained access to our computer systems which hold customer and captain account data. Customers and captains who have signed up with us since that date are not affected,” stated the company on its ‘blog’ section.
“While we have seen no evidence of fraud or misuse related to this incident, it is our responsibility to be open and honest with you, and to reaffirm our commitment to protecting your privacy and data.”
Users and experts have questioned the company, demanding to know the extent of the data breach and why it took the company more than three months to report the “incident”.
“Cybercrime investigations are immensely complicated and take time,” stated Gemma McKeown, chief press officer of the Dubai-based company, in an emailed response to The Express Tribune. “We wanted to make sure we had the most accurate information before notifying people.”
Yet, more than three months later, the company said it “has seen no evidence of fraud or misuse related to this incident and there is no evidence that passwords or credit card numbers have been compromised”.
While it may not have seen evidence that passwords or credit card numbers have been compromised, the company did not categorically state that it also saw no evidence that passwords or credit card numbers have not been compromised.
The company had also warned users to take safety measures on their own and be vigilant over their bank account usage and credit card transactions, hinting that there could be a possibility of misuse.
It has also asked users to ‘update’ passwords and implement “good password management”.
Photo Courtesy: Reuters