Hacker News new | past | comments | ask | show | jobs | submit login
Careem has identified an incident involving unauthorised access to customer data (careem.com)
79 points by abdullahdiaa on April 23, 2018 | hide | past | favorite | 24 comments



It is ingenuine on their part to not report how detailed the trip data they have is. Trip data could easily show Users' home/office locations, their daily travel patterns, their kid's daycare and whatnot. This kind of knowledge can be extremely dangerous if it falls into the wrong hands. Careem should be more straightforward about this and explain the consequences, rather than slyly gloss over the most dangerous part of the breach by mentioning only two effing words about it.


They also have only said when they figured out the breach, but not when the breach was. It could have happened a day before January 14th, or 3 months before January 14th. The difference is how much trust I would give them.

Interestingly they said the breach was done by "online criminals". Do they know, or do they automatically assume that people illegally accessing systems are criminals?


> Do they know, or do they automatically assume that people illegally accessing systems are criminals?

I'm not sure what distinction you are trying to make here. The fact that they are doing something illegal makes them criminals.


>The fact that they are doing something illegal makes them criminals.

Not in all countries. In Canada at least, plenty of things are against the law (illegal) but do not constitute a criminal offence.

I'm not committing a crime when I break the speed limit almost every day on my way to work, but what I'm doing is still illegal.


Poor example, just a week ago a 19-year-old had his family's house raided for him scraping documents from a public gov't website.

https://evandentremont.com/some-information-on-the-freedom-o...


My hunch is the distinction they're trying to make is between criminals who steal data for nothing more than monetary gain versus those who would steal such data for more nefarious reasons, perhaps on behalf of a nation.


> This kind of knowledge can be extremely dangerous if it falls into the wrong hands.

Let’s not go overboard with the panic just yet. The world isn’t some spy novel where nefarious actors are constantly trying to kill you or your children.

How do I know? Because if you are not currently under protection, I could easily create all the location history I might want within a week. And nobody willing to abduct you would scoff at a week’s work.

Also: if anybody wanted to kill you you’d be dead.

I know it’s a lot of fun to run down all the “thread actors” and the “tradecraft” they might use in your head on long, boring flights. But you’re not actually a movie character.


Also

* whoever you have ever been in a relationship with

* which VCs have given you a second meeting on a Monday

* when you exercise

* which cuisines you prefer

* which specialist doctor offices you have visited

* whether you have been interviewing at other companies

Forget this Facebook nonsense. Uber knows everything about you.


Funny part! I wanted to delete my Careem account. I could not do that. I cannot delete my account.

https://help.careem.com/hc/en-us/articles/115008681747-How-d...


"A Careem account cannot be deleted as every account detail can only be used once." - uh what?

So they've hashed your account details. They won't delete this. Great


Cmd+F "seriously"

"We take the protection of our customers and captains’ data very seriously."


Exactly what I did when I opened the page.


Well now.

What customer account data was stolen?

Customers’ name, email address, phone number and trip data.


The compromise was identified on January 14th, and the announcement took three months? That's a pretty appalling timeline.


a friend ,who had a job interview with careem, told me i should use a different mobile number and name if I'm using their service. Glad i followed his advice.


>January 14

Thanks for not telling anyone sooner.


Why is Uber included in the title here? It makes it seem like Uber was involved. I think the title should mention, at most, the Careem is a Middle Eastern ridesharing company.


Ridesharing could also include long-distance ride-sharing like BlaBlaCar. Since Uber-for-X has become a thing, I don't think including Uber in the title is a bad thing.


I know it's difficult to find an appropriate title but wouldn't -

"Careem, ridesharing company/app in the Middle East"

work better than calling out Uber?


Nothing to see here, its a minor breach.


Trip data can contain extremely sensitive information.


They are also unsure whether passwords or credit card details were stolen.


I don't think Customers’ name, email address, phone number and trip data can be considered a minor breach


Wonderful, hacking often means dumping one data store due to sec problem with it (think 90s-SQL-injection).

I assume trip data was stored in the same system as emails - so both got hacked. Minor security considerations would put those in different systems and not store together.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: