On Monday, Careem, the Dubai-based ride-hailing company operating in the MENA region, Turkey, and Pakistan, announced that it learned “online criminals” had obtained the personal information of over 14.5 million users and drivers, including their trip histories, on January 14, 2018.
According to a spokesperson from Careem, the company’s records show that the system was first breached in December 2017, but it did not detect the breach until January 14. At that time, Careem had 14 million customers and 558,000 registered drivers and as long as the criminals were inside Careem’s system, they had access to all users’ names, email addresses, phone numbers, and historic trip data, defined by Careem as each customer’s pickup and dropoff points. In the press release describing the incident, the ride-hailing company insisted that the perpetrators of the breach were not able to access passwords and payment information, which are stored on “an external third-party PCP compliant server,” a technology also used by banks to safeguard financial information.
Despite the three-month delay in disclosing the breach, Careem has released scant information about it, explaining only that “the online criminals gained access to [Careem’s] computer system.” The company stated that it has “engaged cybersecurity experts,” but did not provide more detailed information on what specific steps it has taken or will take to prevent a similar breach from happening again. When SMEX asked whether a state actor could have played a role in the breach, the spokesperson from Careem refused to speculate on the identity of the criminals, but stressed that the company is “continuing to work with law enforcement officials to investigate the matter.”
The compromised data allows the hackers to paint a comprehensive picture of a user’s daily life and the places they frequent. The information could also be useful to security agencies in countries across the region. For example, the security services in Egypt, which constitutes about half of Careem’s total business, has long been interested in obtaining such information. In 2017, Egyptian ministers asked Careem executives for access to trip data and Uber executives for access to its “Heaven” feature, which would allow security agencies to see live data about users’ trips. Just recently, Egypt also introduced a draft law for ride-hailing services that “requires all databases and private information collected by Uber or other ride-hailing companies be made available to unspecified authorities.”
SMEX encourages Careem to release its findings to the public once the investigation is concluded.