Media Matters for Democracy expresses concern at the recent data breach at Careem; calls for a data protection framework to hold corporations accountable.

Islamabad, 25 April 2018: Media Matters for Democracy is deeply concerned about the recent data breach at Careem that we fear allowed hackers access to names, email addresses, ride histories and phone numbers of more than 14 million Careem customers and 500,000 captains.

Careem came forward about the data breach on April 23, 2018, almost three months after they had first learned that consumer data had been compromised. In a carefully worded statement that was also sent out to clients via email, Careem management insisted that there was no “evidence” to prove that passwords and credit card details of the customers have also been compromised. Despite this, the management encouraged the customers to immediately change their passwords and keep track of their bank statements and credit card details.

“It is appreciable that Careem has at least been this forthcoming about data theft, however, it remains concerning that consumers have no way of getting more details about the exact nature of the data that has been breached. There is no legal  redressal mechanism for consumers currently in place through which the corporations could be pushed towards more transparency”, said Asad Baig, founder, and director of Media Matters for Democracy, “as digital services become increasingly common and more and more consumer data is being held by these service providers, the need for a legal framework detailing data protection requirements is becoming urgent”.

Media Matters for Democracy is also concerned that the news of this data breach has been shared with consumers a full three months after the fact.

“It is pretty common for internet users in Pakistan to reuse the same passwords for multiple services. While Careem has claimed that there is no evidence that passwords have been accessed, the possibility is still there. In this case, information about passwords combined with the email IDs could lead to further breaches of consumer’s digital lives”, says Sadaf Khan, Director Programs, Media Matters for Democracy.

It is important to note that this is not the first time that hackers were able to access information system of an organization. In the past, there have been instances involving online portals such as Zameen.com and Pakwheels.com, government corporations such as Punjab Information Technology Board (PITB) and National Database Registration Authority (NADRA) where personal data of citizens was accessed by unauthorized persons.

Despite the fact that all these entities hold sensitive consumer data there is no legal liability on the corporations them when this data is breached or misused. Thus, most corporations do not even inform the public about successful and unsuccessful attempts to breach their databases.

“Organisations like ours have been pushing for protective mechanisms like data protection law and Privacy Commission for years. The Ministry of Information Technology had also given a commitment under the Open Government Partnership process to initiate public consultations on Data Protection Law by November 2017. However, we have seen no developments in this regard, which raises doubts about the Ministry’s sincerity about enacting protection mechanisms”, says Asad Baig.

Mindful of the importance of a data protection framework, we urge the relevant stakeholders including political parties, MOITT and the Senators to push for a strong data protection legal framework.  Only a strong framework can prevent a data breach in future, ensure a redressal mechanism for consumers and hold corporations and government agencies accountable for any negligence in protecting consumer data.