Middle East taxi-hailing app Careem repeatedly dismissed or ignored attempts by ethical hackers to try to alert the company to security vulnerabilities as far back as November 2016, it emerged on Wednesday.
In an emailed statement, Babar Khan Akhunzada, founder of Pakistani firm Security Wall, told Gulf News that the company had alerted Careem to a serious security flaw last year, receiving an automated customer service message from them in response.
“Last year [Security Wall associate Daniyal Nasir] found a vulnerability on Careem’s web application,” Akhunzada said. Upon reporting the vulnerability to multiple individuals at the company, Security Wall say that their emails were ignored. Daniyal said he could access the confidential records of 1.4 million customers, including trip data and telephone numbers. The same data was stolen in January’s hack, Careem said.
Last Monday, Careem announced that they were hacked on January 14 of this year, losing customers’ names, email addresses, phone numbers and trip data in the process.
Gulf News has seen screenshots from Security Wall which confirm their ability at the time to access users’ private records.
Ethical hackers regularly attempt to breach company’s security systems, sometimes in return for a financial bounty, in order to inform the firm and allow them to strengthen their defences.
Such hackers are often referred to as white hats on the internet.
Responding to the claims on Wednesday, Careem said in an email that “like many companies, we frequently receive messages from independent security researchers on potential technical issues.”
It added that Careem strives “to respond to each individual and we are actively reviewing our process to see how we can work better with this incredibly helpful community — who can reach us at firstname.lastname@example.org.”
Experts say that oftentimes, companies fail to act on important notifications of vulnerabilities, simply because they are inundated with a mix of real, and sometimes fake, alerts.
“As a platform sees more scale, it can become increasingly difficult to sort the sheer amount of inbound threat reports no matter how well intentioned they may be,” Omar Kassim, CEO of Esanjo told Gulf News.
Last year, Uber admitted to concealing a massive hack that exposed that data of 57 million of its users and drivers.
The firm paid hackers $100,000 to delete the data and keep the breach quiet. Over a year later, the company finally disclosed the breach, and fired its chief security officer.