Dubai: Ride-hailing app Careem says it has engaged a “leading cybersecurity firm,” following a hack in January that exposed the personal details of 14 million customers.

The company declined to specify which firm it had hired.

Local security firm VUL9, based in Umm Al Quwain, told Gulf News that it had assisted Careem in its response to “the incident and the breach.”

Mohammad Amine Belarbi, chief executive and co-founder of VUL9, declined to comment on the circumstances surrounding the breach, citing client confidentiality.

Careem would only confirm that it has relationships with “many” cybersecurity firms.

Details surrounding VUL9 are scant, but the company describes itself as a boutique firm specialising in infrastructure defence, cyber warfare, and data protection.

“Our highly skilled team of experts and specialists have located breaches and remediated to vulnerabilities on major Fortune 500 Technology companies including Google, Facebook, Yahoo, Twitter, Cisco and Adobe,” the company claims on its website.

Moroccan national Belarbi, who founded the security firm with countryman Mohammad Al Khdime, also lists Careem and Aramex, both based in Dubai, among the company’s clients on his LinkedIn profile.

Unusually, VUL9 claims in its company brochure that it has “offensive … cyberwarfare capabilities”.

Companies rarely admit when they are involved in offensive hacking, due to the uncertainty surrounding cyberwarfare laws, experts say.

In a statement to Gulf News regarding the company’s response to the breach, a Careem spokesperson confirmed that the company had engaged a “leading cybersecurity firm to assist our internal IT experts to forensically investigate the unauthorised access and to assist us with strengthening our security systems.”

On the steps taken to strengthen Careem’s security since the breach was discovered in January, the spokesperson added that the company has “introduced enhanced monitoring capabilities across our infrastructure that allows us to detect and respond quickly to security issues, as well as upgrading access controls for our users using market-leading, multi-factor authentication controls.”

“We have also redesigned our cloud architecture to ensure all our endpoints are embedded behind multiple layers of security,” they added.

Amazon Web Services (AWS), who are responsible for storing Careem’s data on servers in Ireland, denied the suggestion that their servers were breached, telling Gulf News in a statement that “all AWS security features and networks did, and continue to, operate as designed.”

Telr, the company that processes payments for Careem, also denied that the hack had taken place on their end.

Last week, Gulf News reported that the start-up, which last year closed a $150 million round of venture capital funding, had been informed of vulnerabilities on their web application as early as November 2016.