Ride-hailing service Careem on Monday warned users that their personal data had been compromised in a massive cyber-security breach.
The company stated that sensitive information like customers’ names, email addresses, phone numbers and trip history data had been stolen by hackers.
However, “there is no evidence that your password or credit card number have been compromised,” Careem assured its users. “Customers’ credit card information is kept on an external third-party PCP-compliant server,” Careem claimed.
The breach affects all customers and captains who signed up with the service before January 14, 2018. Users who signed up with the service after that date have not been affected, Careem said.
In its statement, the company did not specify whether the breach affected users and captains worldwide, or in a specific country. It also did not comment on the origin or nature of the cyber security breach.
However, Emirati publication The National reported that: “The personal data of up to 14 million people in the Middle East, North Africa, Pakistan and Turkey has been stolen by online criminals in a cyber-attack on the systems of Dubai ride sharing platform Careem.”
The National reported that Careem also had 558,000 captains active at the time of the attack.
Careem launched in Pakistan in March 2016 and has since become one of the most popular ride-sharing services in the country.
What you can do to protect yourself
The company has recommended to users the following steps to safeguard their personal information:
“Implement good password management by updating your Careem password, as well as other accounts on which you use similar details. Use a strong mix of characters, and try not to use the same password for multiple sites,” the handout read.
In addition, users were advised to “remain cautious of any unsolicited communications that ask for personal information or refer to a web page asking for personal information”; to “avoid clicking on links or downloading attachments from unfamiliar emails”; and to “continue to review bank account and credit card statements for suspicious activity.”
“If you see anything unexpected, call your bank,” the statement read.
Steps taken by Careem
The company said it had launched an investigation when it detected the breach, including engaging “leading cybersecurity experts to assist us in strengthening our security systems”.
They added that they are also working with law enforcement agencies.
“Throughout the incident, our priority has been to protect the data and privacy of our customers and captains. Since discovering the issue, we have worked to understand what happened, who was affected, and what we needed to do to strengthen our network defences,” the company said.
The breach echoes an incident involving Careem rival Uber, which was hit by a similar data breach in October 2016.
“Hackers stole the personal data of 57 million customers and drivers from Uber Technologies Inc, a massive breach that the company concealed for more than a year. This week, the ride-hailing firm ousted its chief security officer and one of his deputies for their roles in keeping the hack under wraps, which included a $100,000 payment to the attackers,” Bloomberg had reported on November 22, 2017.
“Compromised data from the October 2016 attack included names, email addresses and phone numbers of 50 million Uber riders around the world,” the company had told Bloomberg.
The personal information of about seven million drivers was accessed as well, including some 600,000 US driver’s license numbers, Bloomberg had reported.
In Uber’s case, however, users’ trip history data had not been compromised.
Dawn.com has reached out to Careem representatives in Pakistan for further comment.