Dubai-based ride-hailing app Careem has been hacked. The company says that the account information of 14 million drivers and customers may have been affected. The company operates in 90 cities and 13 countries across the Middle East and North Africa.
The details were made public in a blog posted on the company website. It states: “Careem has identified a cyber incident involving unauthorised access to the system we use to store data. While we have seen no evidence of fraud or misuse related to this incident, it is our responsibility to be open and honest with you, and to reaffirm our commitment to protecting your privacy and data.”
What will concern many users is that the breach was discovered on January 14th but is only now being made public. It will be interesting to see how regulators respond to the delay in warning customers. The company also states that any driver or customer using the service since that date is not affected.
What was stolen?
According to information from Careem the details stolen include: “Customers’ name, email address, phone number and trip data.” It goes on to say that passwords, credit cards and other payment data was not stolen. It seems that the company stores all payment card data on: “an external third-party PCI-compliant server. A PCI server uses highly secure protocols and is employed by international banks around the globe to protect financial information.”
This is good and bad news for customers. Using a third-party with its own highly secure servers on which to store payment data is a sensible move. It is one that few companies take advantage of and will help to mitigate the damage to Careem.
However, the bad news is that names and trip data were stolen. There is a significant risk here for blackmail and even physical attacks on individuals. The Middle East is a region where who goes where and with whom, carries social stigma and other issues. Users will want to be sure that their personal lives have not been compromised by the data.
There is also a high risk of fraud as the attackers could use the data to persuade users into handing over more information. Trip data will show who works where. That information could be exploited to craft spear phishing attacks against users.
Why the delay in informing users?
The speed with which organisations notify users about a breach has been under the spotlight for some time. In Europe, GDPR is placing strict time limits on how long a company can withhold this data. The problem is that any delay is releasing the data opens the door for attackers to craft new attacks against their victims.
In this case, Careem claims it withheld data due to the complexity of the investigation. That doesn’t mitigate the delay. It does, however, provide the company with time to find out exactly what was lost rather than the message keep changing. It was this constantly changing messaging that impacted Talk Talk so badly when it tried to respond to losing customer data.
What should customers do?
Careem has provided a list of actions for users to take. It has not provided any support in terms of fraud protection through credit agencies. This is a surprise. While no payment data was stolen there is enough information to allow attacks to be created.
The steps Careem suggests are:
- Implement good password management by updating your Careem password, as well as other accounts on which you use similar details. Use a strong mix of characters, and try not to use the same password for multiple sites.
- Remain cautious of any unsolicited communications that ask for personal information or refer to a web page asking for personal information
- Avoid clicking on links or downloading attachments from unfamiliar emails
- Continue to review bank account and credit card statements for suspicious activity – if you see anything unexpected, call your bank
What does this mean
Yet another organisation loses customer data. In this case it is the data of over 14 million customers and employees. Keeping the breach quiet does no good for anyone except those who have stolen the data. There is a case for minimising chatter until the scale of the breach has been established but organisations need to focus on getting information out in a much shorter timescale. There will no doubt be questions from regulators about the time delay and how the breach occurred.
The damage to customers and the business will take time to understand. There is increasing evidence that users are willing to move away from organisations that lose their data. This is easier to say than do. In some of the markets where Careem operates, there is no alternative to its ride-hailing service. This means that any loss of customers may be temporary.
For now, all eyes will be on any claims from customers that they have been affected by this data loss.