The personal data of up to 14 million people in the Middle East, North Africa, Pakistan and Turkey has been stolen by online criminals in a cyber-attack on the systems of Dubai ride sharing platform Careem.
On January 14, the company detected the breach in the computer systems which hold the account data of customers and captains – or drivers – in 78 cities in 13 countries. Names, email addresses, phone numbers, as well as trip data was stolen.
At the time of the attack, Careem had 14 million customers and 558,000 captains on its platform. Those who have signed up since then are not affected by the breach.
It is the first successful cyber-attack of this magnitude on the company, according to Careem.
It said that there is no evidence that passwords, which are encrypted, or credit card numbers, which are kept with a highly-secure external third party, have been compromised.
No fraud or misuse related to the stolen information has been discovered so far by the company.
On January 14th, the company said it was alerted to a message the hacker had left on its system. It immediately investigated the incident, and together with an external cyber security firm put in place measures to protect the data and ensure its services were not disrupted.
Careem said it successfully identified and secured the source of the breach and has now strengthened its network defences.
Relevant law enforcement agencies will be notified in due course and the company is collaborating with Interpol. Careem’s servers are located in Ireland. It will also notify Dubai’s Roads and Transport Authority, Careem said.
"We regularly review and update our security systems – this time it wasn't enough to prevent an attack," Careem said in an email it will send to its customers on Monday, which The National has seen in advance, apologising for the security failure.
Mudassir Sheikha, Careem chief executive and co-founder told The National that "throughout the incident, our priority has been to protect the data and privacy of our customers and captains. Since we discovered the criminal activity, we worked to understand the situation, who was affected, and what we needed to do. We're sorry for what happened, but Careem has learned from this and will come out stronger and more resilient."
Careem, which has expanded its services to 90 cities and 14 countries this year, is making a huge investment in digital security off the back of the January incident and has hired “leading cyber security experts”.
The RTA, which uses Careem’s ride hailing app for its taxis, is not affected by the attack, as it does not share any of its drivers' data with the company.
According to the UAE Telecommunications Regulations Authority, hackers targeted 34 websites in January, including eight data breaches.
In November, rival Uber said it had paid hackers to delete the personal data of 57 million customers and drivers in an attack that the company did not disclose had happened for more than a year. Its chief security officer was dismissed over the incident.
Cyber security threats around the world are on the rise and last May, major companies such as FedEx and Telefonica, and public institutions including the UK's National Health Service, were victims of a world-wide WannaCry ransomware attack.
Researchers at Kaspersky Lab at the time recorded more than 45,000 attacks in 74 countries worldwide, including the UK, UAE, Spain, Russia and Saudi Arabia.