In January 2018, Careem, the Dubai-headquartered ride-hailing platform operating across 14 countries in the Middle East, North Africa, and South Asia, discovered that attackers had gained unauthorized access to its systems.
The breach, disclosed publicly on April 23, 2018, compromised the personal data of approximately 14.5 million customers and drivers, including names, email addresses, phone numbers, and trip history.
This remains one of the largest data breaches in the history of the UAE's technology sector.
## Key Facts
- .**What:** Attackers breached Careem's systems, stealing data on 14.5M users.
- .**Who:** Careem riders and drivers across 14 MENA countries.
- .**Data Exposed:** Names, emails, phone numbers, and trip/location history.
- .**Outcome:** Pre-PDPL era limited penalties; helped catalyze UAE data protection law.
## What Was Exposed
- .Full names of 14.5 million customers and drivers across all operating markets
- .Email addresses tied to Careem accounts
- .Phone numbers including UAE mobile numbers for the significant Gulf user base
- .Trip history data including pickup and drop-off locations, dates, and times
- .GPS location data associated with ride histories
- .Driver personal information including license details and vehicle registration data
- .Account creation dates and last activity timestamps
Careem stated at the time that no password data (stored as hashed and salted values) or credit card information was accessed, as payment data was stored on a separate external system.
However, the combination of names, phone numbers, email addresses, and granular trip history constitutes a severe privacy exposure. Trip data reveals where individuals live, work, socialize, and receive medical care.
For users in conservative societies across the MENA region, the exposure of movement patterns carries social and personal risks that extend far beyond conventional identity theft.
The three-month gap between the discovery of the breach in January 2018 and public disclosure in April 2018 drew significant criticism.
During this period, affected users were unaware that their personal data and location histories had been compromised and were unable to take protective measures.
Careem stated the delay was necessary to complete its investigation and secure its systems, but the notification timeline became a focal point for discussions about breach disclosure obligations in the Middle East.
The scale of the breach, spanning 14 countries and 14.5 million individuals, made it a cross-jurisdictional incident with implications for data protection enforcement across the entire MENA region.
However, it was Careem's status as a UAE-headquartered company that placed the incident most prominently within the UAE's regulatory purview.
## The Sensitivity of Location and Movement Data
Trip history data deserves particular analysis because of its uniquely revealing nature. Unlike static personal data such as names and email addresses, location data captures the dynamic patterns of individuals' lives.
A complete ride history for a Careem user reveals their home address (the most frequent pickup location), their workplace (regular weekday destinations), their social habits (evening and weekend destinations), medical facilities they visit, religious institutions they attend, and relationships they maintain through shared destinations.
In the MENA region, where cultural norms around personal privacy, social behavior, and gender interactions differ significantly from Western contexts, the exposure of movement data carries amplified risks.
Users whose trip histories reveal visits to locations that could be socially stigmatized, relationships that could be culturally controversial, or movements that contradict publicly stated positions face potential harm that goes far beyond financial loss.
The sensitivity of this data was arguably not adequately reflected in the security controls protecting it.
For drivers, the exposure is equally significant but different in character. Driver trip histories reveal their work patterns, income levels (inferrable from trip frequency and routes), and the neighborhoods they frequent.
Driver identity documents, including license details and vehicle registrations, can be used for targeted fraud, impersonation of legitimate drivers, or creation of fraudulent driver accounts on competing platforms.
The combination of rider and driver data in a single breach also creates compounding risks. Knowing both who took a ride and who drove them, with precise pickup and drop-off locations, creates a comprehensive record of specific interactions between individuals.
This level of detail about interpersonal encounters is rarely available in any other data breach context.
## The Uber Parallel and Industry Context
The Careem breach occurred just months after the disclosure of a similar breach at Uber, Careem's global competitor, which had concealed a 2016 breach affecting 57 million users for over a year.
The parallel between the two incidents was not lost on regulators, media, or the public.
Both ride-hailing platforms had suffered massive data breaches, both had delayed disclosure, and both incidents exposed the unique privacy risks inherent in location-tracking transportation platforms.
However, the regulatory consequences differed dramatically. Uber faced investigations and penalties across multiple jurisdictions with established data protection enforcement, including significant fines under European data protection law.
Careem, operating primarily in jurisdictions without comprehensive data protection legislation, faced far fewer regulatory consequences.
This disparity highlighted the enforcement gap in the MENA region and became a powerful argument for the necessity of the PDPL that would follow three years later.
## Regulatory Analysis
The Careem breach occurred in January 2018, predating the UAE's Federal Decree-Law No. 45 of 2021 on Personal Data Protection (PDPL), which came into effect in January 2022. This timing creates a unique analytical framework: examining what applied at the time versus what would apply if the same breach occurred today.
**Regulatory Landscape at the Time (2018):** In 2018, the UAE did not have a comprehensive federal data protection law. Data protection was governed by a patchwork of provisions including:
The UAE Constitution (Article 31), which provides a general right to privacy of communication.
Federal Law No. 5 of 2012 on Combating Cybercrimes, which criminalized unauthorized access to information systems and data but was primarily a criminal statute rather than a data protection framework.
The DIFC Data Protection Law No. 1 of 2007 (since replaced by Law No. 5 of 2020), applicable only within the DIFC free zone. The ADGM Data Protection Regulations 2015, applicable only within the Abu Dhabi Global Market free zone.
This fragmented landscape meant there was no federal breach notification requirement, no standardized penalty framework for data protection failures, and limited regulatory infrastructure for investigating data breaches at the scale of the Careem incident.
The three-month disclosure delay, while criticized, did not technically violate any federal notification obligation because no such obligation existed at the federal level.
**What Would Apply Today Under the PDPL:** Had the Careem breach occurred after the PDPL came into effect, the regulatory response would be dramatically different.
**Article 5 (Lawful Processing):** Careem's collection and retention of detailed trip histories, GPS data, and driver personal information would need to comply with purpose limitation and data minimization principles.
Questions would arise about how long trip history data was retained, whether GPS precision exceeded what was necessary for service delivery, and whether the volume of personal data collected was proportionate.
**Article 26 (Data Security):** The successful compromise of systems containing 14.5 million records would constitute a prima facie violation of the security obligations under Article 26. The PDPL requires technical and organizational measures appropriate to the risk, and a ride-hailing platform processing location data and personal information for millions of users across multiple countries represents a high-risk processing scenario demanding commensurately robust security.
**Article 28 (Breach Notification):** Under the PDPL, Careem would be required to notify the UAE Data Office of a breach likely to result in serious harm to data subjects. A three-month disclosure delay would almost certainly be deemed non-compliant.
The exposure of location histories for 14.5 million individuals across the MENA region would clearly meet the "serious harm" threshold, requiring notification to affected individuals as well.
Under the current PDPL framework, Careem would face potential fines of up to AED 10 million. Additionally, given the cross-border nature of the breach, cooperation with data protection authorities in other affected jurisdictions would be expected.
The Careem breach was, in many ways, a catalyst for regulatory change in the UAE. It demonstrated the inadequacy of the pre-2022 regulatory patchwork and underscored the need for a comprehensive federal data protection law.
The PDPL, enacted three years after the breach, addresses many of the gaps that the Careem incident exposed.
## What Should Have Been Done
The Careem breach offers enduring lessons for technology platforms operating across the MENA region.
**Location Data as Sensitive Data:** Trip histories and GPS data should be treated as sensitive personal data regardless of whether a specific regulation classifies them as such. Movement patterns reveal intimate details about individuals' lives.
Careem should have implemented the highest tier of security controls for location data, including encryption at rest and in transit, strict access controls, and data minimization practices that limit retention of precise GPS coordinates to the minimum period necessary.
**Cross-Border Data Architecture:** Operating across 14 countries with varying data protection regimes required a data architecture that could enforce jurisdiction-specific retention policies, access controls, and security standards.
A single centralized database containing the combined personal data of users across all markets created an unnecessarily large blast radius for any security compromise.
**Rapid Detection and Disclosure:** The three-month gap between discovery and disclosure, while arguably necessary for investigation, left 14.5 million individuals exposed to risks they were unaware of.
Organizations should establish incident response capabilities that allow for parallel workstreams: containment and investigation proceeding simultaneously with notification preparation, enabling disclosure to occur within days or weeks rather than months.
**Driver Data Protection:** Drivers represent a uniquely vulnerable category of data subjects in ride-hailing platforms. Their personal information, license details, vehicle data, and work patterns are all held by the platform.
Organizations must recognize that driver data requires the same level of protection as customer data and should be subject to the same security controls and access restrictions.
**Pre-Breach Regulatory Engagement:** Even before the PDPL, Careem could have voluntarily adopted international best practices for breach notification and data protection.
Companies that proactively exceed minimum regulatory requirements build trust with customers and establish goodwill with regulators that proves valuable when incidents occur.
**Security Architecture for Hyper-Growth Startups:** Careem was in a period of rapid growth at the time of the breach, expanding across new markets while competing intensely with Uber for market share.
High-growth technology companies face particular security challenges because engineering resources are typically prioritized toward product development and market expansion rather than security infrastructure.
Organizations in this phase must resist the temptation to defer security investment and instead embed security engineering within product development teams from the earliest stages of growth.
**Post-Acquisition Security Implications:** Following the breach, Careem was acquired by Uber in 2020. This acquisition raises important questions about the lifecycle of breached data.
When a company that has suffered a data breach is acquired, the responsibility for ongoing notification, remediation, and monitoring of affected data subjects transfers to the acquiring entity.
The Uber-Careem acquisition should have included rigorous due diligence on the residual risks from the 2018 breach and clear allocation of responsibility for ongoing protective measures.
## Legacy and Lasting Impact
The Careem breach fundamentally changed the conversation about data protection in the Middle East. Before the incident, data security was largely an afterthought in the region's booming technology sector.
After the breach, it became a boardroom priority and a regulatory imperative. The incident is widely cited in the legislative history of the UAE PDPL as evidence of the need for comprehensive data protection legislation.
For the 14.5 million affected individuals, the breach's impact has diminished but not disappeared. Email addresses and phone numbers exposed in 2018 continue to circulate in aggregated breach databases used by spammers, phishers, and social engineers.
Users who did not change their phone numbers or email addresses after the breach remain at elevated risk for targeted attacks leveraging the Careem data.
The persistence of breached data in the criminal ecosystem is a sobering reminder that data breaches are not events with defined endpoints but ongoing exposures with indefinite consequences.
The Careem breach remains the defining data security incident of the pre-PDPL era in the UAE. Affecting 14.5 million individuals across the Middle East, it exposed the regulatory vacuum that existed before the UAE Federal Data Protection Law and demonstrated why comprehensive data protection legislation was not optional but essential.
Had it occurred today, the consequences under the PDPL would be severe and immediate.
## Recommendations for Affected Users and Drivers
Although the Careem breach occurred in 2018, the data remains in circulation and
affected individuals should maintain awareness of the ongoing risks.
**For Riders:**
Users whose trip histories were exposed should be aware that their movement patterns
from before January 2018 may be known to unauthorized parties. While changing historical
location data is impossible, users should ensure that email addresses and phone numbers
compromised in the breach are not still used as primary identifiers for sensitive accounts.
Those who have not changed their email or phone number since the breach should consider
doing so, particularly for accounts where these identifiers serve as login credentials
or recovery mechanisms.
**For Drivers:**
Drivers whose license details and vehicle registration data were exposed should verify
that their identity has not been used to create fraudulent accounts on ride-hailing or
delivery platforms. Driver identity fraud on mobility platforms can create legal and
financial liability for the legitimate identity holder. Affected drivers should also
monitor their driving license records for unauthorized modifications or duplications.
**Credential Hygiene:**
All affected users should ensure they are not reusing passwords that were associated
with their Careem accounts. Even though Careem stated that passwords were stored as
hashed and salted values, the email addresses from the breach have been incorporated
into credential stuffing databases and continue to be used in automated attacks against
other services. Multi-factor authentication should be enabled on all accounts that share
the compromised email address.