P2019-ND-018

Careem Inc.

On January 14, 2018, the Organization received an email from an unknown hacker claiming to have infiltrated its IT systems. The email demanded a ransom, which, if not paid, would result in the hacker disclosing the information publicly. On January 25, 2018, the Organization paid the ransom. The Organization investigated and determined that the hacker infiltrated its IT systems sometime in December 2017, and had both accessed and stolen the personal information of customers and drivers. The Organization reported there is a possibility the hacker exfiltrated part or all of the Organization?s source code. The Organization said it does not store credit card information on its systems, but it did maintain a token, a one-way hash of card number, as a fraud prevention mechanism. The Organization believes that there is no realistic risk of reconstituting credit card number and expiry dates since the cost of the computational power required to brute force significantly outweighs the black market price for a credit card number.

File Type: pdf
Categories: 2019
Tags: Unauthorized access