Digital Rights Foundation raises questions on Careem’s security breach

Careem recently revealed they suffered a massive security breach in January that compromised data of riders and captains. The ride-hailing company is now experiencing an uproar from their customers for the delayed notification of the data breach.

Amidst the severe backlash, Digital Rights Foundation (DRF) is asking the right questions. DRF has been advocating for a data protection legislation for Pakistan that protects Pakistani customers from such incidents. DRF published a statement expressing concern over the critical nature of the data that has been compromised and pointing out the weakness in the security protocol of these systems. Through the hacked information, the attackers can easily identify not only riders but their whereabouts by exploring their trip patterns. If revealed, this data can pose extreme danger to individuals. Here is what DRF wants Careem to answer:

• Why did it take months to report the incident to the public?
• What is the number of customers that are affected by this breach?
• Who were the perpetrators of the attack?
• What happened to the stolen data and where was it potentially stored?
• What measures is the company taking to ensure the security of stolen data?
• Will Careem take responsibility for any unforeseen incident occurring by the misuse of data?
• How will Careem ensure the stronger security of customer information in the future?

Yes, Careem was carrying out investigations but millions of customers were using the ride-hailing service since January without being aware that their data has been compromised, therefore they could not raise their concern or hold the company accountable for their stolen data. DRF says that,

“Careem’s silence for four months and inadequate justification of the data breach is indicative of the fact that tech companies operate without being held accountable under any laws in the countries where they operate.”

DRF also pointed out to the business models of several tech companies that revolve around selling user data. Recently, it was revealed Facebook also collects data of non-Facebook users while Google amasses user data 10 times more than Facebook and then sells it to the highest bidder.