Did Careem ignore advice on security breach vulnerabilities?

Top Stories

Did Careem ignore advice on security breach vulnerabilities?

Dubai - A Pakistani researcher said he "penetrated Careem's apps for security vulnerabilities" in March 2017.

by

Kelly Clarke

  • Follow us on
  • google-news
  • whatsapp
  • telegram

Published: Wed 25 Apr 2018, 7:53 PM

Ride-hailing giant Careem announced to the public this week that the personal data of 14 million users was hacked. But was Careem alerted of vulnerabilities in its system months before the January 14 discovery? According to one cyber security researcher, yes.
Via a blog on its website on Monday, Careem said a cyber incident involving "unauthorised access" to its data-storing system led to the leak. They claimed the discovery was made on January 14, 2018.
But reaching out to Khaleej Times, Daniyal Nasir, a Pakistan-based researcher said he "penetrated Careem's apps for security vulnerabilities" back in March 2017 and noticed a breach in the security of its data.
"I gained access to their complete user data including e-mails, pictures of all captains, cars, booking details, even the users location," he told Khaleej Times.
Carrying out the research for a Pakistan security firm at the time, the company posted a blog on its website as well as its accompanying Facebook page on June 16, 2017 informing the public of the hack, titled: 'Researcher saved Careem from 1.4 million users data breach'.
A former resident of Dubai, Nasir said he informed Careem's Pakistan office about the "security vulnerabilities" soon after the breach, but alleges they "didn't respond how they should have".
Sharing a copy of the original e-mail he sent to Careem (Pakistan), an excerpt from the message read: "Our team found some issues in the Careem app which can lead to some captains, customer data being leaked".

Nasir then said he received a response to that mail from a Careem representative on March 21, 2017 (date is visible in copy shared with us), which read: ".we strive 24/7 to improve our services but sometimes due to some human or system error we fail to so".
But Nasir said the response was "not acceptable" following the information he had shared with them alerting the team of a security breach.
When Khaleej Times reached out to Careem following Nasir's claims, it did not comment on this individual case, but did provide insight into how they deal with alert issues from cyber security firms and researchers.
"Like many companies, we frequently receive messages from independent security researchers on potential technical issues. We do our best to respond to each individual, and we are actively reviewing our process to see how we can work better with this incredibly helpful community."
Going forward, the representative said "researchers should contact Careem on security@careem.com."
And when asked why Careem took several months to announce details of this latest security breach to the public it said: "Cybercrime investigations are immensely complicated and take time.
We wanted to make sure we had the most accurate information before notifying people. Since discovering the issue, we have worked to understand what happened, who was affected, and what we needed to do to strengthen our network defences."
Since the breach, Careem has introduced "enhanced monitoring capabilities across our infrastructure" that allows us to detect and respond quickly to security threats.
"While our response has been robust, we are also implementing a further programme of updates to further develop our security capabilities over coming months." 
kelly@khaleejtimes.com


More news from