The personal data of up to 14 million people in the Middle East, North Africa, Pakistan and Turkey has been stolen by online criminals in a cyber-attack on the systems of Dubai ride sharing platform Careem. Company says customers' credit card details were held by third party and were not compromised, web portal The National reports.
On January 14, the company detected the breach in the computer systems which hold the account data of customers and captains – or drivers – in 78 cities in 13 countries. Names, email addresses, phone numbers, as well as trip data was stolen.
At the time of the attack, Careem had 14 million customers and 558,000 captains on its platform. Those who have signed up since then are not affected by the breach. It is the first successful cyber-attack of this magnitude on the company, according to Careem. It said that there is no evidence that passwords, which are encrypted, or credit card numbers, which are kept with a highly-secure external third party, have been compromised.
No fraud or misuse related to the stolen information has been discovered so far by the company.
On January 14th, the company said it was alerted to a message the hacker had left on its system. It immediately investigated the incident, and together with an external cyber security firm put in place measures to protect the data and ensure its services were not disrupted.
Careem said it successfully identified and secured the source of the breach and has now strengthened its network defences. Relevant law enforcement agencies will be notified in due course and the company is collaborating with Interpol. Careem’s servers are located in Ireland. It will also notify Dubai’s Roads and Transport Authority, Careem said.
“We regularly review and update our security systems – this time it wasn’t enough to prevent an attack,” Careem said in an email it will send to its customers on Monday, which The National has seen in advance, apologising for the security failure.
Mudassir Sheikha, Careem chief executive and co-founder told The National that “throughout the incident, our priority has been to protect the data and privacy of our customers and captains. Since we discovered the criminal activity, we worked to understand the situation, who was affected, and what we needed to do. We’re sorry for what happened, but Careem has learned from this and will come out stronger and more resilient.”
Careem, which has expanded its services to 90 cities and 14 countries this year, is making a huge investment in digital security off the back of the January incident and has hired “leading cyber security experts”.
The RTA, which uses Careem’s ride hailing app for its taxis, is not affected by the attack, as it does not share any of its drivers' data with the company. According to the UAE Telecommunications Regulations Authority, hackers targeted 34 websites in January, including eight data breaches.