Careem ride-hailing data breach
Attackers accessed the systems of Dubai-based ride-hailing app Careem and stole the names, emails, phone numbers and trip histories of around 14 million riders and 558,000 drivers across the Middle East, North Africa and South Asia.
- Victim
- Careem
- records
- 14.0M
- users
- 14.0M
On 23 April 2018, Careem โ the Dubai-headquartered ride-hailing company that was the dominant Uber rival across the Middle East, North Africa, Pakistan and Turkey โ disclosed that attackers had stolen the personal data of around 14 million riders and 558,000 registered drivers. It was one of the largest consumer data breaches in the region's history.
What happened
Careem detected the intrusion on 14 January 2018, when it found that "online criminals" had gained access to a system storing customer and captain (driver) account information. The company's own forensic records later indicated the systems had first been compromised in December 2017. Anyone who signed up after 14 January 2018 was unaffected, which let Careem bound the exposed population to accounts created before that date.
The company waited roughly three months before going public, a delay it justified by saying cybercrime investigations are "immensely complicated and take time" and that it wanted accurate information before notifying users. The delay drew sharp criticism, particularly given Uber's own concealed breach had been exposed only months earlier.
Impact
- Around 14 million riders and 558,000 drivers had their names, email addresses, phone numbers and trip history exposed.
- Careem stated that passwords and payment card details were not accessed, as those were held on a separate PCI-compliant third-party server.
- The exposed trip-history data was particularly sensitive in the region, as it could reveal individuals' movements, home and work locations, and patterns of life.
- Careem urged all users to remain vigilant against phishing and to monitor their accounts, and reset internal credentials.
Attribution
Careem attributed the breach only to unidentified "online criminals" and did not name a group or nation-state. No threat actor publicly claimed responsibility, and no arrests were reported. The motivation appeared to be theft of bulk personal data, though no ransom demand was disclosed.
Why it matters
The Careem breach was a milestone moment for data-protection awareness in the Gulf and South Asia, regions where consumer-privacy regulation was still nascent. It highlighted the value of trip and location data held by super-apps and the reputational cost of delayed disclosure. Coming shortly before Uber's $3.1 billion acquisition of Careem in 2019, it also underscored how cybersecurity due diligence had become central to major regional technology deals.
Timeline
Careem's systems are first compromised, according to the company's later records.
Careem detects that 'online criminals' have accessed a database storing customer and driver account data.
Careem publicly discloses the breach, roughly three months after detection, notifying around 14 million users.
Careem states names, emails, phone numbers and trip data were taken but passwords and payment card data were not.
Security commentators criticize the multi-month disclosure delay and the scale of exposed personal data.
Sources
- cnbc.comhttps://www.cnbc.com/2018/04/23/careem-says-data-of-14-million-drivers-and-riders-stolen-in-cyberattack.html
- dawn.comhttps://www.dawn.com/news/1403401
- news.sophos.comhttps://news.sophos.com/en-us/2018/04/25/ride-hailing-service-careem-lost-14-million-users-data-in-january/
- tomshardware.comhttps://www.tomshardware.com/news/careem-data-breach-14-million,36937.html
- gulfbusiness.comhttps://gulfbusiness.com/en/2018/transport/dubais-careem-reports-data-breach-affecting-millions-customers/