The Careem data breach is one of the largest data breaches specifically affecting the Middle East. I would not be surprised if the 14 million breached accounts include every single user registered with Careem.
Since payment details have not been lost, we do not need to worry about our credit cards. According to their blog statement, Careem- as most other companies- uses a payment card provider to store and process credit card information.
However, users need to be aware that their names, email addresses, phone numbers and trip records are in the hands of a third-party organization. I am sure that Careem would rather have been without all of this, and I am also sure they are doing everything they can to understand what has happened and also to prevent similar breaches from happening in the future.
It raises some important considerations regarding the trust we place in the online services we use- and following from that, the amount of sensitive information we are willing to expose. And this opens up greater questions around the services we use and how they impact our life – the Facebook data breach scandal is another great example as this revealed how attackers are finding new and innovative way to leverage our sensitive information not just for financial gain but even to influence our decisions and actions. To know more about my thoughts on that, you can read this article that I wrote for Gulf News.
For end-users, an aspect of this breach worth noting is that it was discovered by Careem in January- it might have occurred any time before this- but only disclosed to the public three months later. The delay in Careem’s reporting of the incident is quite common as it takes time to analyze what happened and what has leaked. Industry baselines indicate that the average time from a breach to discovery is between 120 and 180 days, and the vast majority of breaches are not discovered by the affected company but by a third-party organization. It is also standard protocol for organizations to first try to unravel breaches through the use of digital forensics before issuing public statements. All of this means user data is potentially exposed for a longer period.
What should users do about the specific issue with Careem? First of all, if you used the same password for your Careem app on any other services, make sure you change it immediately on all other services. The time of re-using passwords are long gone! Also, be much more vigilant and alert to any e-mails coming from Careem or that look like they are coming from Careem. Your data could now be exploited in phishing attempts.
Nicolai Solling, CTO at Help AG