Dubai-based ride hailing company Careem has suffered a major data breach that could have seen the personal data of millions of customers stolen, the company confirmed on Monday.
In an email sent to customers, Careem said that “online criminals” gained access to its computer systems holding customer and driver data on January 14.
The breach is believed to have affected up to 14 million customers across the company’s footprint of 78 cities in 13 countries across the Middle East, North Africa, Pakistan and turkey.
At the time, Careem also had 558,000 drivers on its platform, according to the The National.
The account data would have included email addresses, phone numbers and trip history but Careem said there was no evidence passwords or credit card details were also taken as they were encrypted or stored with third parties.
Customers and drivers that signed up after January 14 are not affected, according to the firm.
Gregg Petersen, regional sales vice president, Middle East and Africa at Veeam Software said the lateness of the disclosure after the breach occurred was concerning.
“The Careem breach of driver and rider account data is extremely concerning. Customers need the confidence and trust that digital transactions and the handling of data will always work as expected,” he said.
“It appears from the reports today that this is the first public notification of a breach that happened in mid-January, which if the case isn’t acceptable.”
Careem said it launched a thorough investigation and engaged cybersecurity experts as soon as it detected the issue. It is also working with law enforcement agencies.
Existing customers and drivers have been encouraged to change their passwords and review their bank account and credit card statements.
No fraud as a result of the breach has been discovered by the company so far.
“While no organisation is completely immune to the threat of cybercrime, we are committed to meeting these threats and protecting the privacy and data of those that have placed their trust in us,” Careem said.
“We apologise for what has happened but rest assured, Careem has learned from this experience and will come out of it a stronger and more resilient organisation.”
The UAE’s Telecommunications Regulatory Authority said its Computer Emergency Readiness Team foiled 34 cyber attacks against government and private sector entities in January.
Careem’s servers are understood to be located in Dublin, Ireland.
Careem’s international rival Uber said last November it had paid hackers to delete the personal data of 57 million customers and drivers in an attack that occurred more than a year before.