Delay in reporting Careem breach ‘unacceptable’
Security experts criticise Careem for waiting three months to report hack of customer data
Industry experts have criticized ride-hailing app Careem for failing to report the loss of customer data for nearly three months.
Gregg Petersen of Veeam Software said that not alerting customers to the breach for so long "isn't acceptable", and that organisations need to work faster to maintain the trust of their customers.
Jordanian cybersecurity expert Raed Nesheiwat also said that the delay represented a "huge problem", according to Arab News.
Personal details of up to 14 million Careem customers and drivers across Middle East, North Africa, Pakistan and Turkey were breached in January, but the incident was only reported this week.
Careem has previously said that it did not warn customers of the loss as it did not want to alert the attackers that it was aware of the breach until it had been fixed.
The company has said that no payment or banking details were compromised and that there was no evidence of misuse, but added that customers should check their bank and card statements for any suspicious activity.
The breach is believed to have exposed data including customers' names, email addresses, phone numbers and trip data.
Under the General Data Protection Regulation (GDPR), which comes into force in Europe next month, organisations have to report any data breach to the relevant authorities within 72 hours, or have a good reason for failing to do so. Customers whose data has been breached have to be told "without undue delay", either privately or by public announcement.
While the Middle East will not be governed by GDPR, there are wide implications for organisations in the region that keep personal data on any customers either from the EU or who travel to the EU.
Gregg Petersen, regional sales vice president, Middle East & Africa at Veeam Software commented on the breach: "The Careem breach of driver and rider account data is extremely concerning. Customers need the confidence and trust that digital transactions and the handling of data will always work as expected. With GDPR only a month away from being enforced, this is a timely reminder for businesses of all shapes and sizes to ensure business AND personal data is subject to the most rigorous of standards and service levels and security. It appears from the reports today that this is the first public notification of a breach that happened in mid-January, which if the case isn't acceptable.
"Security breaches are getting bigger and bigger. What started off as a few files or records is now being regularly measured in the millions of users. Businesses must understand and act fast to ensure the chain of trust between them and their customers is never broken; not just to retain a customer, but to attract new customers and avoid business-changing fines," Petersen added.