Digital Rights Foundation expresses serious concerns over the breach of servers of one of the most used ride-hailing services in Pakistan, Careem. It was announced in the company’s official statement on April 23 that its servers were breached on January 14, 2018 and since then it has been investigating the matter. According to the statement, the private and sensitive information of its millions of customers and drivers were stolen, which included their names, contact numbers, email addresses, passwords and trip data. According to the company, however, credit card and financial details were not affected.

This breach is particularly worrisome because Careem, as a ride-sharing application, amassed a huge amount critical and personally identifiable information of its users. Information compromised in the breach, i.e. names, phone numbers and trip data, can help identify individuals but also their whereabouts given trip patterns. This data, once revealed, has the potential to put lives in danger.

While we commend their effort of being transparent, the incident points at the larger issue of weak data protection protocols and putting people’s sensitive information and, in grim situations, their lives at risk. Moreover, in the light of many physical attacks on the drivers of the ride-sharing apps in the past couple of months in Pakistan, this incident further endangers life and property of the people using these services for an honest living or for safe commuting.

This particular breach of Careem’s security protocols raises a lot of queries and concerns that their statement failed to answer. First and foremost, why did it take four months to report the incident to the public. Although the blog states that they took their time to investigate into the details of the breach due to the complex nature of the incident, but the fact remains - millions of Careem’s customers and drivers were using their compromised accounts while there data was compromised. Customers were kept in the dark and had no mechanism of holding the company accountable.

Secondly, the statement fails to mention the number of customers that were affected by this breach. Careem is used by over 14 million users around the world, and the silence of this important aspect could signify that all of the users were influenced.

Furthermore, it is the right of the customers to have full transparency of the incident and the statement leaves several questions unanswered. Important questions like who was behind the hack, what happened to the stolen data, where is it stored, what measures has Careem taken to ensure the security of the stolen data, whether Careem takes responsibility of any unforeseen incident that the misuse of this data may ensue, and what actions has it taken to warrant strong security of customer information in the future.

Careem’s silence for four months and inadequate justification of the data breach is indicative of the fact that tech companies operate without being held accountable under any laws in the countries where they operate. Furthermore, in the absence of a data protection legislation that DRF has been advocating for since last year, incidents like this put Pakistani customers at risk and at the mercy of hackers who can use this stolen information against them without any legal repercussions.

It would be remiss not to point out that the business model for several tech companies has been to amass personal data and monetize it for profit-making. Companies, such as Careem, need to be more transparent regarding what data is collected, its storage and its ultimate use; and at the same time reorient its approach towards data. A larger critique of these practices and their human rights implications is in order.