Following Uber’s massive breach revealed in 2017, another ride-hailing app has been compromised — Dubai-based Careem. The incident, affecting 14 million riders, involved access to Careem’s data storage system, compromising names, email addresses, phone numbers and trip data for anyone who signed up for the app before Jan. 14, 2018. There’s currently no evidence that the hackers accessed passwords/credit card info.
Setu Kulkarni, VP of Corporate Strategy at leading application security provider WhiteHat Security, has analyzed the attack below.
Setu Kulkarni, VP of Corporate Strategy at WhiteHat Security:
“This incident reaffirms that we’re never out of danger from a data breach of our personal information. As online platforms rapidly and successfully connect consumers to service providers – these platforms are becoming treasure troves of personally identifiable information. Unfortunately, in the pursuit of time to market and rapid user adoption, not enough attention is paid to application security. WhiteHat Security’s annual Application Security Statistics Report looks at ‘windows of exposure’ across industries each year. What is consistently alarming is the high rate of applications that are ‘always vulnerable,’ which means an application is vulnerable on every single day of the year. In the transportation industry, 33% of applications are always vulnerable. Additionally, as more apps are developed and utilized, there are more and more points of entry that need to be secured.
While Careem hasn’t provided specific details on the cause of this cyber incident, one potential cause could be that a vulnerable backend API allowed the unauthorized access. While reacting to the incident in the way Careem has done is absolutely the right thing to do, it is also important to take a proactive approach to application security by testing all digital assets–be it web, mobile or APIs–throughout their development lifecycle. It’s also important to provide adequate and appropriate training and education to foster meaningful collaboration between IT/Ops and security teams to understand and prioritize how to mitigate risk. Comprehensive security testing and training along with continuous assessment of production assets could make such massive breaches a thing of the past.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.