Cyber Incident Victim: Careem
Date:
Jan 2018
Location:
United Arab Emirates
Summary
A Middle Eastern ride-hailing service experienced a cyber attack compromising personal data of approximately 14 million customers and 558,000 drivers. Unauthorized access to a system storing account information resulted in the theft of names, email addresses, phone numbers, and trip data, though passwords and credit card details held externally remained unaffected. The breach impacted accounts active prior to the incident discovery, with newer registrants unaffected. The company, operating across 78 cities, publicly acknowledged the attack during a strategic funding initiative and emphasized organizational improvements following the event.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Careem, Uber's primary ride-hailing competitor in the Middle East, disclosed a cyber attack on April 23, 2018, that compromised data belonging to 14 million customers and 558,000 drivers. The breach occurred when unauthorized parties gained access to a company computer system storing customer and driver account information, with the intrusion detected on January 14, 2018. At the time of the attack, Careem operated across 78 cities in the region, serving those 14 million users through its platform. The stolen data included personally identifiable information such as names, email addresses, and phone numbers, along with trip history details. The company confirmed that sensitive authentication credentials and payment information remained secure, as passwords and credit card data were stored on segregated third-party servers not accessed during the incident. Users who registered after the January breach were unaffected by the data exposure. Careem issued a public apology acknowledging the security failure and stated the experience would strengthen its organizational resilience, though it provided no immediate technical specifics about remediation efforts.
The disclosure occurred during a critical phase for Careem as it sought to raise $500 million in new funding, mirroring the size of its previous investment round completed in 2017. Established investors including Saudi Arabia's Kingdom Holding, Daimler, and DiDi Chuxing were not reported to have commented on the breach's implications. The company, founded in 2012, had previously announced profitability targets for the second half of 2018 and was considering potential IPO options prior to the incident. Careem emphasized no evidence suggested financial data misuse but did not specify whether it offered affected users identity protection services. The breach ranks among the largest regional cybersecurity incidents at the time, impacting nearly all users active on the platform before mid-January 2018 across Careem's extensive operational footprint.