Ride-hailing service Careem lost 14 million users’ data… in January


Careem, a ride-hailing startup based in Dubai and operating in 13 countries, announced on Monday that it discovered a breach in January that affected 14 million users’ data.

The intruder(s) got at customers’ and drivers’ names, email addresses, phone numbers and trip data. So far, Careem hasn’t seen any evidence that passwords or credit card data were involved in the breach.

Careem said that it keeps customers’ credit card information on an external, third-party, Payment Card Industry (PCI) -compliant server that uses “highly secure protocols and is employed by international banks around the globe to protect financial information.”

Should customers and drivers be reassured? As we’ve noted in the past, PCI’s own Data Security Standard (DSS) has been a compliance headache for companies around the world, setting a “check the box” mentality for firms who don’t take their security seriously enough.

Well, is that so bad? Some say that PCI DSS and other regulations of its ilk – SOX and HIPAA, for example – make for a good cattle prod to get companies to take security seriously.

At any rate, Careem says it discovered the breach on 14 January but didn’t notify customers right away because an investigation was under way. From its announcement:

Cybercrime investigations are immensely complicated and take time. We wanted to make sure we had the most accurate information before notifying people.

That might seem like an important delay but hey, at least it was doing something positive rather than taking a leaf out of the Uber playbook.

Uber’s response to the theft of 57 million driver and customer records was a deafening silence lasting longer than a year as it hoped its attempt to pay the hackers $100,000 to “delete the data [and] keep quiet”, would stop anyone from finding out.

Careem said it’s been working to figure out what happened, determine who was affected and figure out how to boost its network defenses. It says it’s enhanced monitoring so it can detect and respond quickly to security threats, for example, and will continue to bolster defenses over coming months.

The usual post-breach precautions apply:

  • Update your Careem passcode, and then update your password on any other accounts using the same or similar details. Make your new one good and strong. Here’s how. And if we’ve said it once, we’ve said it a million times: reusing passwords is really, truly a terrible idea. So don’t!
  • Watch out for spearphishers. Unsolicited communications that try to get personal information out of you, or send you to a site that wants your account credentials, should be greeted with your hairiest of eyeballs. Don’t click on links or download attachments from unfamiliar emails.
  • Keep an eye on your bank account and credit card statements for suspicious activity. See something weird? Call your bank.