Egyptian Streets reported on Monday that popular ride-hailing app Careem announced that it had been the victim of a security breach in January, rendering the names, email addresses, phone numbers, and trip data of both customers and drivers compromised. It has, however, now come to light that Careem was in fact informed about similar security issues in June 2017.
A Dubai-based security researcher, Daniel Nasir, was able to access the information of over 1.4 million customers and captains of the company. According to a blog run by Security Wall, a Pakistan-based cybersecurity firm, he was able to access drivers’ emails, names, mobile numbers, ID card numbers, trips, payment information, and photographs – in addition to the details of all cars registered with Careem, including their registration numbers.
The blog continues to explain how Nasir, whose work has been acknowledged by companies such as Microsoft, Sony, and Starbucks, and the Security Wall team tried to reach Careem in order to discuss the issues, but in response received what appeared to be an automated message, stating that the company aims to improve its services to its customers, but sometimes cannot do so due to human or system error. Security Wall also reached local Managing Director, Junaid Iqbal, and CEO, Mudassir Sheikha, members of the technical departments, and support teams, with similarly frustrating outcomes.
Nasir and the Security Wall team decided not to pursue the case further as they felt Careem was uninterested in discussing the issue. However, it appeared that some of the issues they were reported were in fact fixed several days afterwards. The blog also noted that while some issues were addressed, Careem’s application still had vulnerabilities; SecurityWall contacted Careem again with the details, who agreed to launch a bug country program for the researchers. Whether the program was introduced is uncertain.