Protecting regional enterprises from a Careem like breach

Rajesh Gopinath, VP – Sales Engineering, MEA. at Paladion discusses how enterprises in the Middle East need to substantially reduce attacker dwell time to prevent a successful breach.

Enterprises in the Middle East need to substantially reduce attacker dwell time to prevent a successful breach. It takes a company an average of 106 days to identify a breach. The only way to effectively reduce attacker dwell time is by using a combination of AI-Driven and Manual Threat Hunting to identify and evict attackers before there is a catastrophic breach like this.

You are an enterprise in the Middle East. You feel confident your security systems are thoughtfully set up and provide you with comprehensive protection. So, instead of thinking about incoming threats, you go about your day-to-day operations, focusing primarily on your business’ key value driving functions. Everything seems to be progressing smoothly… until you get the news.

Another enterprise in the Middle East has been breached. Millions of files have been compromised. The public outcry deafens. Suddenly, you can’t focus on your business’ operations. Suddenly, a whole set of other questions enter your head…

“How did they get breached?”
“What can we learn?”
“Are our defenses strong enough?”
“Are we next?”

Unfortunately, this is not a hypothetical situation for enterprises in the Middle East. Recently, Dubai-based ride-sharing platform Careem announced a breach. Cybercriminals infiltrated their systems and walked away with over 14 million records for the company’s customers in the Middle East.

For many enterprises in the Middle East, this became the week they had to ask how their colleagues at Careem got breached, whether their own defenses are strong enough, and whether or not they will be the next enterprise in the Middle East to make headlines.

How Did Careem Get Breached?
As Gulf News reported, Careem announced (via a blog post) that they had been breached, and their 14+ million records had been stolen on January 14th. Careem is a major enterprise in the Middle East, based in Dubai, but operating in 80 cities spread throughout 13 countries.

The cybercriminals who committed this successful attack stole records on both Careem’s drivers, and their customers (their riders). The information they stole includes names, email addresses, phone numbers, and trip data. It is unclear how much geodata related to drivers’ and customers’ trips was stolen.

While no credit card data was stolen, and while Careem’s representative stated they have seen no evidence of “fraud or misuse related to this incident,” it is naive to believe the individual’s whose information was stolen are safe. The criminals behind the attack can still cause plenty of havoc utilizing the data stole. The stolen records give criminals enough personal information to perform additional phishing, or even social engineering, attacks against the affected parties.

What Can We Learn from Careem’s Breach?
At first glance, Careem’s breach appears to be a repeat of Uber’s breach (which they announced last November). The similarities go beyond the fact that both are ride sharing companies.

● Both companies lost massive amounts of records. (Uber lost ~56 million records.)
● Both companies took a substantial amount of time to announce the breach. (Uber took nearly a year to announce their breach.)
● Both companies lost driver and customer data, but not corporate data.

This last point deserves further elaboration. Uber explicitly stated they only lost customer and driver data, and that their corporate network was not breached. Careem implied this fact, by only mentioning that customer and driver records were stolen, and without mentioning any loss of corporate data.

This fact is not as heartening as it might initially seem. Instead of speaking to the strength of corporate defenses within both companies, it leads to the uncomfortable realization that many enterprises appear to be simply less careful with, and to apply fewer defenses to, their customer, vendor, and 3rd party data, than they offer their own in-house data.

Given the increased interdependence between customers, companies, and vendors, it is distressing to see many prominent enterprises in the Middle East accept even one “weak link” in their security. After all, today, it can only take one breach, in one corner of a company, to create system-wide failure, substantial internal damage, and lost reputation.

Are Your Defenses Strong Enough, or Are You Next?
It takes a company an average of 106 days to identify a breach to identify a breach. So, while it is wise to ask if your current defenses are already breached, or whether you will be the next enterprise in the Middle East to suffer a breach, another question may be even more important to ask— “Is our security program proactively hunting for attackers or are they waiting for an alert or breach to respond?”

At Paladion, several of our customers have reduced their dwell time from an average of 90 days to under 2 days. This is possible only using proactive threat hunting, and since manual threat hunting is slow, and speed is the primary success driver in cyber defense, we use a combination of AI-Driven and Manual Threat hunting to achieve these results. This is the right approach to cyber security today.