ISLAMABAD: Careem’s data has been breached by unidentified hackers, according to Careem’s official statement released on April 23, 2018.
As per detail, the management first came to know about the data breach on January 14 and found that criminal elements were able to access names, email addresses, phone numbers and trip data of customers and captains.
However, the management insists that there is no “evidence” that the credit card details and passwords of the user accounts have also been compromised owing to the cyber-attack.
It is to be noted that at the time of the data breach, 14 million customers and 558,000 captains were active on the Careem’s systems across 13 countries.
However, not all the accounts were affected. While talking to Dawn newspaper, Careem official stated that only the accounts set up before January 14, 2018 were affected.
Meanwhile, the official statement urges all the Careem users to change their passwords immediately, make them complicated by using different characters and not use them on other sites. It also urges clients to keep a track of their credit card and bank statements for any suspicious activity.
Apologizing for the data breach, the statement notes that the Careem management is working with law enforcement agencies and have taken steps to further improve the security of their systems.
This is not the first time that hackers were able to access Careem’s information systems. Earlier in 2017, an ethical hacker named Danial Nasir was able to access data of 1.4 million Careem users. This included the names, email addresses, mobile phone numbers, ID card numbers, trips, payment information and even the pictures of Careem drivers. The data also included the details of the cars registered with Careem. According to ethical hacker Babar Akhunzada, his colleauge Danial did not receive any response from the company when he reached out to them.
Ethical hackers around the world are engaged regularly by big software development companies including Microsoft through bug bounty programs. They are offered money in return for identifying vulnerabilities within their software. However, Pakistani ethical hackers resent that there is a lack of interest in local markets in improving cyber security in such a manner.
Careem takes three months to report data breach
It took Careem more than three months to report data breach. Elaborating on the reasons for the delay, the official statement said:
“Cybercrime investigations are immensely complicated and take time. We wanted to make sure we had the most accurate information before notifying people. Since discovering the issue, we have worked to understand what happened, who was affected, and what we needed to do to strengthen our network defences. Specifically, we have introduced enhanced monitoring capabilities across our infrastructure that allows us to detect and respond quickly to security threats. While we feel our response has been robust, we are also implementing a further programme of updates to further develop our security capabilities over coming months.”
Experts have often expressed concerns at the laxity of the corporations in timely reporting about data breach within Pakistan. They have long called for enacting data protection law in Pakistan that will allow government to regularly inspect data breaches and hold the corporations accountable for any data breach.
More than 100 countries around the world have introduced laws pertaining to data protection. In some countries, data protection law such European Union’s General Data Protection regulation, GDPR, binds corporations to report data breaches within 72 hours and also notify the affected parties in some cases.
Talal Raza is a Program Manager at Media Matters for Democracy. He has worked with renowned media organizations and NGOs including Geo News, The Nation, United States Institute of Peace and Privacy International.