Dubai's Careem admits to data breach of 14 million users

Cyber criminals have stolen the personal data of more than 14 million customers of the popular Dubai-born, ride-hailing service Careem.

In a blog post on Careem's website on Monday, it said on January 14 it "identified a cyber incident involving unauthorised access to the system we use to store data".  

In a separate statement to Khaleej Times, a company spokesperson said it could not share how many people were affected in the UAE as it "does not disclose market data" here, but it did share an overall figure.

"20 million customers have signed up across our platform. We are currently in 14 countries and close to 100 cities. 14 million of these customers were affected by the incident."

On January 14, Careem said it "became aware" that online criminals gained access to its computer systems which hold customer and captain (drivers) account data.

Although the blog stated there is "no evidence" that password or credit card numbers have been compromised, it did state that the online criminals hacked personal information including customers' name, email address, phone number and trip data.

"A PCP server uses highly secure protocols and is employed by international banks around the globe to protect financial information," the blog read.

However, it did reiterate that customers and captains who signed up with the service after January 14 will not have been affected by the data hack.

Careem stated that as soon as it detected the breach, a thorough investigation was launched which engaged leading cybersecurity experts to assist in strengthening its security systems.

"We are also working with law enforcement agencies. Since discovering the issue, we have worked to understand what happened, who was affected, and what we needed to do to strengthen our network defences."

While Careem said it has "seen no evidence of fraud or misuse related to this incident", it said its main responsibility was to be open and honest with customers in order to reaffirm its commitment to protecting their privacy and data.

Moving forward, Careem said it understands the importance of customer privacy and it regularly reviews and updates its security systems, thought "this time it wasn't enough to prevent an attack".

"While no organisation is completely immune to the threat of cybercrime, we are committed to meeting these threats and protecting the privacy and data of those that have placed their trust in us. We apologise for what has happened but rest assured, Careem has learned from this experience and will come out of it a stronger and more resilient organisation."

Despite the attack, Careem is still operating as normal across Dubai. 

Dear Customers, we have identified a cyber incident that took place in January 2018 involving unauthorized access to the system we use to store data. Our wider security protocol keep passwords encrypted and credit card details on a separate system. pic.twitter.com/rkcpf671ct
- Careem (@careem) April 23, 2018