KARACHI: When Facebook admitted its users’ data was breached, Mark Zuckerberg appeared before the US congress.
On the other hand, when users of ride-hailing app Careem fell victim to a “cyber incident” – the company found a softer way of saying data breach – its CEO shied away from answering the phone.
Close to three out of every four users that have Careem installed on their phones were affected. It is a big deal.
It becomes a bigger deal when stolen data could possibly include customers’ names, email addresses, phone numbers, trip data as well as credit card information and passwords.
Imagine the treasure trove the hacker must have landed, and the amount firms would be willing to pay for the data that has the potential to track a user’s movement, time table, office-and-home schedules as well as bank details.
If this wasn’t enough, it has been over three months since the data breach – not “cyber incident” – occurred.
Careem, in a public statement issued on April 23, said that it “has identified a cyber incident involving unauthorised access to the system we use to store data”.
“On January 14 of this year, we became aware that online criminals gained access to our computer systems which hold customer and captain account data. Customers and captains who have signed up with us since that date are not affected,” stated the company on its ‘blog’ section.
“While we have seen no evidence of fraud or misuse related to this incident, it is our responsibility to be open and honest with you, and to reaffirm our commitment to protecting your privacy and data.”
Users and experts have questioned the company, demanding to know the extent of the data breach and why it took the company more than three months to report the “incident”.
“Cybercrime investigations are immensely complicated and take time,” stated Gemma McKeown, chief press officer of the Dubai-based company, in an emailed response to The Express Tribune. “We wanted to make sure we had the most accurate information before notifying people.”
Yet, more than three months later, the company said it “has seen no evidence of fraud or misuse related to this incident and there is no evidence that passwords or credit card numbers have been compromised”.
While it may have not seen evidence that passwords or credit card numbers have been compromised, the company did not categorically state that it also saw no evidence that passwords or credit card numbers have not been compromised.
The company has also warned users to take safety measures on their own, and be vigilant over their bank account usage and credit card transactions, hinting that there could be a possibility of misuse.
It has also asked users to “update” passwords and implement “good password management”.
“Continue to review bank account and credit card statements for suspicious activity – if you see anything unexpected, call your bank,” stated the company, directing the user to settle issues, which could have been caused by the data breach, with the bank.
Careem operates in 14 countries and close to 100 cities, and has 20 million customers. Of these, 14 million were “affected by the incident” and have been notified.
“Users who have signed up with us since January 14 are not affected,” stated the company.” The company did not disclose the number of users in Pakistan, but estimates suggest that it would fall in the range of 4-6 million.
“Pakistan is the second largest market for Careem in terms of the number of trips. In terms of revenue, it is the third largest,” said a source who shared details on the condition of anonymity.
On the other hand, the company also refrained from sharing further details as it is “supporting law enforcement agencies with ongoing investigations”. “We’re limited in the details we can share with you at this point,” said Gemma.
What the data breach means
In this day and age, data means a lot more than users’ names and email addresses. It is about privacy being invaded by a third party – in this case, the hacker – which you did not sign up for.
“Data is very valuable, as valuable as real cash,” said Nahas A Jaleel, who is currently studying an executive course on Blockchain Strategies from the Said Business School, University of Oxford.
“Depending on how it’s used, its worth can increase.
“All we have seen so far from Careem is a well-drafted public relations statement. This is of no use to the customers. This is irresponsible behaviour.
“Stolen data can reveal where a customer was, at what time, where he went to. Someone who wants to keep these things a secret will understandably be worried.”
Other experts say Pakistan’s market, which already shies away from the online payments, would be pushed further back with such “incidents”.
“Declaration of theft and saying, ‘we are sorry’ is not enough – it is an offence and there should be a penalty,” said lawyer Abdullah Usman who has expertise in cybercrime and is an adjunct professor at the Punjab Judicial Academy.
What the law says
Despite the development, experts believe not much can be done.
Due to lack of appropriate legislation, Careem is unlikely to be held accountable as the Ministry of Information Technology and Telecommunication (MoITT), which prepared a draft of the Data Protection Act a year ago, failed to get it passed from parliament.
“With evolving technology, criminals are also getting sophisticated,” said Parvez Iftikhar, an Islamabad-based Information Communication and Technology (ICT) expert.
“The Data Protection Act should be in place.”
“It is common practice that people keep the same password across multiple platforms.”
Published in The Express Tribune, April 26th, 2018.