Home / / Careem users urged to change passwords and watch for phishing

Careem users urged to change passwords and watch for phishing

Careem customers should take steps to protect themselves in wake of breach, says Help AG

Careem users urged to change passwords and watch for phishing
Careem customers should be wary of phishing attempts in the wake of the data breach, says Solling.

Careem customers should change their passwords, and be on the lookout for phishing emails that may appear to come from company, according to security specialists Help AG.

The ride-hailing service announced on Monday that some 14 million customer records were compromised in a cybersecurity incident.

Nicolai Solling, CTO of Help AG said that the number of records breached meant that it is advisable for all Careem customers to take steps: "Users need to be aware that their names, email addresses, phone numbers and trip records are in the hands of a third-party organisation.

"If you used the same password for your Careem app on any other services, make sure you change it immediately on all other services. The time of re-using passwords are long gone! Also, be much more vigilant and alert to any e-mails coming from Careem or that look like they are coming from Careem. Your data could now be exploited in phishing attempts."

The total of 14 million breached records reported by Careem, one of the largest in the Middle East, meant that it was possible that every registered Careem user has been affected, Solling added, although some users report they have not been contacted by the company as of yet.

Solling also said that the delay in reporting the incident, which was discovered in January, was not unusual as companies often struggle to know when they have been attacked and to be able to understand the impact of an incident.

"The delay in Careem's reporting of the incident is quite common as it takes time to analyze what happened and what has leaked," he said. "Industry baselines indicate that the average time from a breach to discovery is between 120 and 180 days, and the vast majority of breaches are not discovered by the affected company but by a third-party organisation. It is also standard protocol for organisations to first try to unravel breaches through the use of digital forensics before issuing public statements. All of this means user data is potentially exposed for a longer period."

Solling added that the Careem incident raises some important considerations regarding the trust that users are placing in all online services, and the amount of sensitive information that users are willing to expose.

"This opens up a greater questions around the services we use and how they impact our life - the Facebook data breach scandal is another great example as this revealed how attackers are finding new and innovative way to leverage our sensitive information not just for financial gain but even to influence our decisions and actions," he said.

Follow us to get the most comprehensive IT Security news delivered fresh from our social media accounts on Facebook, Twitter, Youtube, and listen to our Weekly Podcast. Click here to sign up for our weekly newsletter on curated technology news in the Middle East and Worldwide.