ISLAMABAD, (April 25, 2018): The massive security breach at the core system of online regional transportation giant, Careem is alarming in the wake of increasing online service delivery, archival of sensitive personal data pertaining to a large number of customers and looming threats to these datasets.
Careem’s callous attitude towards protecting the private data of its customers is criminal and the authorities should hold the company accountable to ensure safeguarding the privacy of its citizens. This is yet another incident that demonstrates the express need and the importance of data protection and data privacy mechanisms in the country. The situation also calls for the urgent mechanism for pro-people data protection frameworks that create enabling online business environment, where corporations and government authorities are accountable and ensure online privacy of its users and citizens.
On Monday, Careem surprised the world with the information that an unauthorized access to its servers happened by unknown cyber criminals in January, in which the data of millions of customers and its captains was hosted. In opaque lingo, the transportation company did not provide any information whether or not the hackers also accessed the financial data of the customers and the captains. The ambiguous statement also fails to provide country specific information, instead focuses on the general details. This is irresponsible of Careem’s communication with its trustworthy and loyal customers.
According to global best practices about data protection regulations, it is binding on the corporates to report any data breaches within 72 hours and also notify the affected parties on a priority basis. It is understood that majority of the countries where Careem is operating its businesses lack in data protection legal frameworks except Turkey. Turkey’s law also binds the corporates to disclose data breaches as soon as possible. In this particular security lapse, Careem deliberately withheld the incident for 99 days, which is not only a gross violation of international best practices and Turkey’s data protection law but explicitly shows the careless and irresponsible attitude towards protecting the privacy of its customers.
In Pakistan, Careem is the largest online transportation business. Millions of customers in almost all major cities have been sharing rides through their online application on a daily basis whose personal information including names, addresses, national identity cards, usernames, passwords, and credit card details are stored on Careem’s system. The data sensitivity multiplies manifolds, as their real-time daily commutes from one to another place are also recorded on their system, which may interpret various patterns of customers’ lives, including their routine activities, locations, meeting points, etc.
This is very unfortunate that Pakistani authorities have closed their eyes on this significant breach of privacy of its citizens.
Bytes for All, Pakistan has been demanding for several years for immediate enactment of a comprehensive, effective and pro-human rights data protection law, which would ensure the privacy of the citizens in general and consumers of online services in particular. The existing relevant governing structures are inadequate, sparse, thereof, incapable of countering the perils of digital age.
Besides online businesses, the government departments, including National Database Regulatory Authority, Punjab Safe City Authority, Islamabad Safe City Project, Election Commission of Pakistan, Benazir Income Support Program, Directorate of Passport, and many others have been storing citizens’ personal information and in the form of diverse datasets on massive scale, says Shahzad Ahmad, Country Director, Bytes for All, Pakistan.
Neither has the government voluntarily disclosed about the security protocols in place, nor it has entertained the Right to Information (RTI) requests on this issue. However, as the practice of huge archiving of citizens’ datasets has been thriving in the country, Bytes for All, Pakistan reiterates its demand to the government and legislature to immediately start deliberations on the need of a comprehensive electronic data protection law.
Specific to this incident, we also call upon the National Commission for Human Rights (NCHR) to immediately take a suo moto notice since it is feared that the privacy breach may entail misuse of Pakistani citizens’ private data. The NCHR should summon the resident managers of Careem and direct them to explain their position. Similarly, they should also summon the responsible government authorities to provide necessary guidelines regarding data protection laws in the country. We also urge the government to seriously consider the establishment of an autonomous and independent Privacy Commission through an act of parliament.
At Bytes For All, we will be extremely happy to provide any technical assistance vis-à-vis human rights’ intersection with the technology.