Neville Lahiru
PickMe has refuted public claims of a data breach that has reportedly left 4 million PickMe customer records compromised. The leak, which was made public back in August claims to be 2020 PickMe data including around 1.8 million emails, 2.8 million unique phone numbers, and around 1.4 million hashed passwords. The leak also claims to include other sensitive information such as credit card details as per the sample data made public by the leaker in question.
However, PickMe points out that the company doesn’t store financial data and that any such card details are only in tokenized form as per standard industry practice. This means that users’ credit card details are converted to unique, randomly generated strings of data, a mechanism meant to obfuscate original data in the event of a breach or other cybersecurity incident. Additionally, it should be noted that PickMe has moved away from passwords to OTP-based logins in recent years.
Speaking to ReadMe, PickMe’s Chief Marketing Officer Mohan Gamage refutes the claims of the supposed data leak. He points out that the incident in question originally surfaced a few years ago and at the time PickMe had conducted its own investigations to confirm no such breach had occurred and that no financial data had been leaked. “Also, our security experts have proactively acted on this news back in August 2023,” Mohan emphasizes further. As to why this claim has resurfaced, he speculates that the 4-million record leak claim is more likely an attempt at causing reputational damage to the company than an actual security incident.
However, the company has yet to confirm how the alleged leaker had gotten hold of the sample data of three users. Mohan says the company is currently looking into this and that he believes the person is merely using this sample to paint a different picture of PickMe. Currently, PickMe houses over 140 IT engineers with several of them handling security-related matters. Moreover, the company relies a lot on Microsoft Azure and Google infrastructures and Mohan claims that the protections that come with these technologies are hard to penetrate, as easily as compromising four million records.
Of course, this isn’t the first major data breach from a Sri Lankan tech company. Back in May 2022, the PayHere hack left over 1.5 million records compromised. Although, despite the company’s efforts at mitigating the problem, the PayHere data dump resurfaced a year later.
The Data Protection Act of it all
More importantly, it will be interesting to see how Sri Lanka’s own Personal Data Protection Act will come into play when it comes to incidents like these, if at all. Early this month, President Ranil Wickremesinghe appointed the board of directors for the Sri Lanka Personal Data Protection Authority (DPA), the government body overseeing the Personal Data Protection Act No. 9 of 2022. More recently, Justice Minister Wijeyadasa Rajapakshe stated that the Data Protection Authority is to be fully operational by 2024. This would include “developing guidelines, investigating complaints, imposing penalties and raising awareness of data protection rights among individuals and organizations,” as per the minister.
At the time of writing, the DPA’s Board of Directors is currently in the deliberation and planning phase of creating the body. This means the funding of the authority (Part VIII of the Act) along with the design of the organizational framework, recruitment procedures, and roles of key officers, including the Director General (Part IX of the Act).
The implementation of the Personal Data Protection Act along with the Data Protection Authority will play a crucial role in Sri Lanka’s modern digital space, particularly as cyber security incidents are in the spotlight at a more frequent rate in recent years. The President himself highlighted the need for data protection in his 2022 budget speech. However, its own digital practices leave much to be desired, especially as the government recently lost all gov.lk email data spanning three months. Now, with the Sri Lanka Unique Digital Identity project on the way, data protection is bound to take an even bigger spotlight, for better or worse.
PickMe’s challenge
It’s worth iterating that while PickMe has refuted any claims of a data breach at that scale, it may be wise for customers to update their login details regardless. It might not give you complete protection from a data leak of this nature, but it will at least help mitigate any possible implications.
Back in March, PickMe crossed 100 million rides covering 900 million km spanning eight years. By August, the company signed agreements to operate a taxi stand at the Bandaranaike International Airport, along with a similar arrangement at the BMICH. With the company looking to ramp up its capabilities even further with offerings such as PickMe Pass, its risk factor pertaining to data protection will only continue to grow, particularly considering the scale of its operations handling millions of customer data.
“In light of the allegations, we have activated a dedicated response team composed of cybersecurity experts, legal advisors, and internal IT specialists back in August 2023 itself,” says Mohan With regard to PickMe’s preventive measures in place. PickMe’s full response reads as follows,
“Our focus is to not only address the allegations but also to stay committed to enhancing the preventive measures that safeguard our systems and data against any potential threats.
We are committed to taking all necessary actions to maintain the security and trust of our users. Our priority is to ensure that our users have confidence in PickMe’s commitment to data security and privacy.”
[Update 1]: Added a response from PickMe’s CMO Mohan Gamage refuting the claims of the 4 million data breach.
[Update 2]: Added further context from PickMe with regard to financial data and login details in the alleged claim.
GIPHY App Key not set. Please check settings