Careem knew – or should have known – that they had a serious problem last year: researcher
Mark Sutton has some follow-up commentary on the Careem breach reported on this site yesterday:
Gregg Petersen of Veeam Software said that not alerting customers to the breach for so long “isn’t acceptable”, and that organisations need to work faster to maintain the trust of their customers.
Jordanian cybersecurity expert Raed Nesheiwat also said that the delay represented a “huge problem”, according to Arab News.
Personal details of up to 14 million Careem customers and drivers across Middle East, North Africa, Pakistan and Turkey were breached in January, but the incident was only reported this week.
Careem has previously said that it did not warn customers of the loss as it did not want to alert the attackers that it was aware of the breach until it had been fixed.
Read more on ITP.net.
If Petersen and Nesheiwat were critical of a delay between January and now, what might they say if they were told that Careem had been warned last year that they were at risk of this type of breach?
Yesterday, after linking to the Khaleej Times report, DataBreaches.net received an email from Daniyal Nasir, a cyber security researcher from Pakistan [LinkedIn HackerOne]. Nasir claims that he had alerted Careem last year to security concerns, as reported on SecurityWall.co. As SecurityWall reported in June, 2017 (typos as in the original):
Few weeks ago, a security researcher named Daniyal Nasir from Pakistan diggedinto theCareem Applications to test for the security issues and found the most critical vulnerabilities in their applications by which he was able to access over 1.4 million customer’s confidential information of Careem.
The information includes all the Driver’s Email, Name, Mobile Number, ID Card Number, Trips, Payment Information, even their pictures. Not only drivers, but also the details of all the Cars registered in Careem even their Car Registration Number.
“They didn’t paid any attention and didn’t respond me correctly,” Nasir tells DataBreaches.net,”and also I’ve told them that this could be result in huge loss in future. which now happened.”
The SecurityWall post in June, 2017 included a pretty compelling screenshot demonstrating a data protection problem. But had the company seen that evidence?
Nasir tells DataBreaches.net he never sent Careem that exact screenshot. “I tried a couple of months contacting them but they didn’t gave me any attention,” Nasir writes. “I didn’t send this screenshot, as I was having videos poc so I was waiting for their positive response, so that I could talk further with them.”
That “positive response” never came, he tells DataBreaches.net.
DataBreaches.net contacted Careem to inquire about Nasir’s claims and to ask for their response. They responded promptly, a company spokesperson telling DataBreaches.net:
The incident that took place in January of this year was a completely separate and unrelated event.
Like many companies, we frequently receive messages from independent security researchers on potential technical issues. We do our best to respond to each individual, and we are actively reviewing our process to see how we can work better with this incredibly helpful community – who can reach us at [email protected]
When asked to respond to Careem’s claim that the January incident was totally unrelated to his attempts to warn them last year, Nasir responded:
I don’t think that its separate thing.
Because I was also be able to access 14 millions users information each and every details there are also a lot issues i have identified like SQLi, but i didn’t exploited sqli because i didnt wanted to waste my more time knowing that they will not pay me anything.
Just after their data breach in january, their cyber consultant company contacted me to hire me, But i couldnt joined them as my studies was here.
And before that I was hired to a security firm in UAE and have worked withn them for a year.
Anyways, these are different things but I don’t agree with careem that this is a separate thing the same things have been breached, the things I have already informed to them and they was working silently without notifying me.
Anyways, at that I didn’t got any credit. and also today (after breached) I didn’t got any credit also.
I don’t know what do you think about me and careem, but I am telling you that it is the root cause.
They will not agree on this, not careem, if it was your company you will also not agree because it could down their respect because today no one is ready to accept their mistakes after something big happened.
if someone tell you to close your doors of your house otherwise the it will cause a roberry. and if roberry happened. you wouldn’t tell anyone that someone told me to close that door.
I hope you understand. its up to you.
Will government regulators be looking into this incident? Perhaps they can determine whether Nasir’s claims are merited and whether Careem could have prevented the January incident if they had responded to his attempts to notify them last year.
Update: Post-publication, Nasir contacted DataBreaches.net to request that we change “you will accept that someone told me to close that door.” to “you wouldn’t tell anyone that someone told me to close that door.” That change has been made.