Hackers access personal data of 14 million Careem taxi users

  • Careem has said there’s been no breach of customers’ payment data, but advised users to monitor their bank accounts
  • The company was aware of the hack in January, but only notified users on Monday

DUBAI: Millions of Careem customers were urged on Monday to check their bank and credit-card accounts after the taxi company admitted that cybercriminals had hacked into app users’ account details three months ago.

The company told Arab News that financial data such as bank account details had not been accessed in the breach, but that other data had, including people’s names, phone numbers and emails. 

Nevertheless, it advised customers: “Continue to review bank account and credit card statements for suspicious activity – if you see anything unexpected, call your bank.”

The security breach took place on Jan. 14, but Careem advised customers only on Monday. Raed Nesheiwat, a cyber information security expert in Amman, said the delay was a “huge” problem. 

“Hackers got all Careem’s clients and captains’ personal information. Waiting three months to reveal this to the public is completely unacceptable,” he said.

“They allowed the hackers to use that data while their clients were not aware of the breach.”

Careem told customers in an email on Monday that it had “identified a cyber incident involving unauthorized access to the system we use to store data.”

It said credit-card information remained safe, but the hackers had been able to access customers’ names, email addresses, phone numbers and trip data.

The company said it had “seen no evidence of fraud or misuse related to this incident.”

It went on: “It is our responsibility to be open and honest with you, and to reaffirm our commitment to protecting your privacy and data.”

Careem is thought to have about 14 million customers across the Middle East, all of whose data has been accessed.

A Careem call handler in Dubai told Arab News: “We wanted to make sure we had all the information before we notified customers.”

She said that on discovering the breach Careem worked with the Dubai authorities to establish what had happened.

Asked why customers were not told sooner, she said: “We did not want to alert the hackers that we were aware of the breach before the issue was fixed.”

She said no bank account details had been hacked as this data was held separately, but that other personal information as listed in the company’s email had been accessed.

On the Careem email customers were told to change their passwords and avoid opening emails and links from suspicious or unfamiliar sources.