Careem has recently admitted to a data breach that occurred in its system that stores users and captains’ data in January this year. The breach was downplayed through a carefully drafted press release where it referred to the breach as a ‘cyber incident’. While it is indeed a ‘cyber incident’, it is one of huge magnanimity.
As Careem admits, the stolen data includes information such as names, E-Mail addresses, phone numbers, physical addresses and travel routes. Although the company insists that ‘there is no evidence’ of password and credit card data being compromised because passwords are encrypted and credit card information is stored on a third-party PCI compliant server, it advises in its recommendation to change passwords and to review bank and credit card statements for discrepancies. Imagine the nature of vulnerability this puts a user in and what this kind of information could mean in the wrong hands.
Dear Customers, we have identified a cyber incident that took place in January 2018 involving unauthorized access to the system we use to store data. Our wider security protocol keep passwords encrypted and credit card details on a separate system. pic.twitter.com/rkcpf671ct
— Careem (@careem) April 23, 2018
Here are my reasons for not taking this breach lightly
Identity theft
One thing that is considered gold by hackers and cyber fraudsters is identity information. They assume the identity of the affected person to gain access to malicious programmes and use this information for registration to systems.
Financial fraud
Even though Careem insists that there is ‘no evidence’ of credit card data being stolen, it is advising its customers to review bank and credit card statements for ‘suspicious activity’ and transaction discrepancies. Does this mean the company is unsure? If it falls into the wrong hands, this credit card information could result in unauthorised transactions. In simple words, it’s the end users who would lose money.
Could lead to another data breach
Since many users have same set of login credentials on other websites and apps as well, it’s highly likely the hackers could have gained access to your other online accounts; such as E-Mail addresses, social media networks and apps, which essentially means they could be robbed of more data and online information.
Blackmail, harassment and bullying
In an environment where users – especially women – already have apprehensions about using ride-hailing apps where their locations, phone numbers and identities are revealed to the captains, this data breach could bring more bad news. The hackers could use their contact information for cybercrimes like blackmailing, harassment and bullying.
https://twitter.com/4Bara/status/988442285485559809
What can you do about it?
Change your password immediately
It’s a no-brainer. Change your password immediately and review your personal information; such as travel history, frequently used routes, etc. and only delete the information which you don’t need stored.
Also, ensure you don’t use the same set of login credentials for other websites.
Block credit cards
I know this sounds extreme. But it’s not, given the breach of this data. Either get your bank to manually authorise credit card payments for you in which case you will have to ask your bank to open a session every time you need to do an online transaction, or get online transactions blocked on it. I know this is akin to setting the fledgling ecommerce industry of Pakistan back by a decade, but desperate times call for desperate measures.
User second numbers/double numbers
Most Careem captains already do this. Users can too. If you don’t have a second phone number, get a ‘double number’ which every network provider issues on your existing number and sim card. Use that as the primary identifier for your Careem accounts.
Review linked accounts
In the world of social connectivity, users’ information can be tracked online using their names, phone numbers or E-Mail addresses. One online search of a phone number can take you to the Facebook or WhatsApp profile of the customer if the same information is used across multiple platforms. It’s crucial for your online privacy to not link your social media accounts with each other.
While it is true that no company is immune to cyber-attacks and data thefts, companies of this magnitude have to be answerable in a more comprehensive manner and shouldn’t go scot-free. They have to answer to the local law enforcement and take users into confidence and offer compensation where it is due. Unfortunately, Pakistan lacks data protection legislation so it’s unlikely that Careem will be made to answer questions and pay for the breach.
In such a case, users have to be more vigilant and take things in own hands. Share as little information as possible.
The writer is the Digital Editor, Daily Times and can be reached at [email protected]. He tweets and instagrams @FarhanJanjua