What should a company do after there has been a security or data breach? Admit it happened and respond with a plan of action. Rebuilding the trust is imperative because while customers will freak out and run away, at least they will know you’re being honest. That’s something you can’t get back.
Yesterday, Careem informed its customers that a data breach had occurred and I thoroughly appreciated the contents of the email until I realized the incident actually took place 3 months ago. Three months. According to their profile on Wikipedia, almost 14 million users were breached. This could include but is not limited to personal detail, historical information on each user and credit card information. For a little more than 90 days, a homegrown shared ride company, was vulnerable at its core and didn’t make this little piece of information public. To give you a standard of comparison, any company governed by the GDPR compliance guidelines needs to inform its customers of a data breach within 72 hours of the incident. Considering Careem’s servers operate out of Ireland, their privacy and security policies will need to be much stronger as compliance and regulatory measures become more stringent as of later this year.
There is no doubt that they hired the best cybersecurity experts to assess just how wide this breach was and how exposed their customers are. While it is true that cybersecurity investigations take a long time, it can be argued that some preliminary news should have been shared soon after the breach was identified. For a company that is built on nothing but data, it is frightening that it would sit on the news for so long. They signed on deals and sent around press releases, grew their network and went on business as usual. Did they disclose the information about the breach to partners?
The great thing about companies coming up in the shared economy model is they are community driven. The people within the communities service users who need the service. And you grown the business, the community prospers. The decision to hide the news of the breach is so that customers don’t jump ship. That’s where the brand matters. A strong, community-driven brand can potentially take customers into confidence by sharing its news, both good and bad. Perhaps that is what will trouble customers most.
The sad state of affairs, at least in Pakistan is, regardless of how many people hold Careem accountable and even initiate boycott campaigns, the reality is, there is no alternate. Many cities in Pakistan lack the transportation infrastructure, which makes the shared taxi business popular, affordable and convenient.
Consumers have a right to know how their data is being used and how they are being protected; such is the transparent trust between the service providers and their customers. What impact this revelation will have on privacy and data protection laws or even basic code of business conduct, only time will tell.
If you have concerns about how this impacts you as a user, please visit the Careem blog.