The biggest data breaches in the Middle East

Unlike other regions across the globe, where finance data is the main target for cyber attackers, the Middle East is witnessing a surge in political and strategic hacking

data breach leak security binary code network

After the US, Saudi Arabia and the United Arab Emirates (UAE) - the two biggest economies in the Gulf region - have the most costly data breaches in the world, reaching a total average of US$5.31 million in 2017, according to an independent report commissioned by IBM Security.

In addition to this, the above three countries also spent the most on their responses to data breaches, which include special investigative activities, legal costs, identity protection services, help desk activities, and more. In Saudi Arabia and the UAE, these costs amounted to US$1.47 million during a 10-month period between 2017-2018. (In the US alone the cost for the same period was US$1.76 million.)

Compared to the global trend where personal data and payment details are the common targets of cyber attackers (66.5 percent and 18.2 percent, respectively), the majority of data breaches in the wider Middle East and North Africa (MENA) region involve trade secrets and ‘know-hows’ (38.6 percent), personal data (29.6 percent) and state secrets (25 percent), according to another study by information security group InfoWatch.

Hackers’ interest on trade and state secrets, much higher than in other regions of the world, is seldom surprising given the political and economic landscape of these countries, including featuring five of the top 10 oil-producing states, as well as international tensions and rivalries between neighbours. 

The high levels of wealth (according to the World Bank, Qatar is the richest country in the world on a per-capita basis) also makes the region attractive to cyber criminals.

Below are some of the most serious data breaches reported in the region in recent years.

Israel, 2019: PM Netanyahu personal travel data exposed by hacker

On May 20, Spanish travel portal Amadeus said in a statement that a system used by its businesses in Israel had been victim to “an illegal and unauthorised access to flight itinerary data”.

The data breach exposed the flight itineraries and details of high-ranking Israeli officials, including Prime Minister Benjamin Netanyahu and his family. The leaked database also contained data about 36 million booked flights, 15 million passengers, 700,000 visa applications and over 1 million hotel bookings. Email addresses through which the flights and hotels were booked could also be accessed.

"This mass data is accessible to everyone and is especially sensitive since it contains information about senior government and defense establishment officials, who use the services of travel agencies that employ this system," the hacker who carried out the attack, and who wished to remain anonymous, told Israeli daily Haaretz.

They explained that they only had to type ‘Netanyahu’ on the search box to find data about him and his family.

Apparently there was no criminal motivation for the leak. The travel business added in its statement that they are investigating the breach but there was “no evidence to suggest that the data has been accessed by anyone other than the security researcher who reported his findings to the Israeli authorities.”

Saudi Arabia, 2019: White hackers infiltrate Dalil

Dalil, a popular communications app in Saudi Arabia and the biggest phone directory in the kingdom, suffered in March a data breach affecting more than 5 million users.

The breach in the company’s database was discovered by a team of researchers from privacy website vpnMentor. They also found out that all the user data gathered by the app was stored in an unsecured and unmonitored MongoDB database. 

White-hat hackers were able to access millions of customer data without the need or authentication, evidence of the weakness of the company’s data security and privacy measures.

UAE, 2018: Careem suffers an unkind breach

Careem, a popular ride-hailing startup in the Middle East soon to be acquired by Uber - until now its main competitor in the region - suffered a thorny data breach in January 2018.

Personal data belonging to the startup’s clients, including customers’ names, email addresses, phone numbers and trip data, was stolen by hackers. 

Although in a statement released by the Dubai-based company it said that it had seen “no evidence of fraud or misuse related to this incident,'' it also advised users to strengthen account passwords and to monitor bank statements for suspicious activity.

Careem explained in the communique that customers’ credit card data is stored on an external third-party PCI-compliant server, thus it wasn’t affected by the breach.

According to Reuters, when the cyber attack occurred the ride-hailing app had 14 million customers and 558,000 drivers (called ‘captains’) operating in the network across 78 cities in the region. Customers and riders who signed after 14 January, when the incident took place, were not affected, the company said in a statement. 

The breach holds a 24th rank in the 2018 Breach Level Index by Gemalto.

Lebanon, 2018: Lebanese expats’ personal data exposed abroad

A few months before Lebanon’s general elections in May 2018, Lebanese embassies in the UEA and the Netherlands exposed personal data of Lebanese citizens living abroad, making it accessible to unauthorised users and third parties.

In the UAE, embassy officials sent an email to Lebanese nationals living in the country with an attached spreadsheet including personal details of more than 5,000 Lebanese citizens who had registered to vote in the elections.

A similar email with a spreadsheet containing personal information of Lebanese registered voters in the Netherlands was sent by the local embassy to more than 200 recipients. Social Media Exchange (SMEX), a Lebanese NGO monitoring information regulations in the MENA region, reported that the individual sending the email added all the recipient addresses in the Cc field instead of Bcc (the blind carbon copy which hides this data). 

According to the NGO, personal information in the UAE and Netherlands spreadsheets included voters’ full name, parents’ names, sex, date of birth, religion, marital status, and address.

The data fiasco happened shortly after the Lebanese Ministry of Foreign Affairs and Emigrants (MFA) had been using cookies to track more than 90,000 users who used the ministry’s website to register to vote online.

Turkey, 2016: “The biggest data breach [so far] in history”

Before news emerged in 2018 about Facebook’s scandalous data breach affecting almost 50 million users of the social media platform, Turkey held the unenviable title of the worst-known data breach in history.

Personal data - including full names, address, national ID number, parents’ full names and date of birth - belonging to 49,611,709 Turkish citizens (two thirds of the country’s population) was leaked and posted online on a website called the Turkish Citizenship Database.

Transport and Communication Minister Binali Yildirim confirmed at the time that the breach appeared to date back to at least 2010. He added that the information was taken from electoral records that the government shares with political parties prior to elections. However, Tuncay Besikci, a computer forensics expert at consultancy firm PwC, told Reuters “he believed the data was taken from the government’s official Population Governance Central Database in or around 2009 and later illegally sold on to firms that dealt in asset foreclosures.”

In what appeared to be a politically motivated attack, the unidentified hacker/s published on the website where the personal data was leaked: “Who would have imagined that backward ideologies, cronyism and rising religious extremism in Turkey would lead to a crumbling and vulnerable technical infrastructure? Do something about Erdogan! He is destroying your country beyond recognition.”

In Turkey, data breaches are not confined to monetary fines and the criminal code allows for possible imprisonment for data breaches. Those who illegally collect personal or sensitive data can be imprisoned for up to four years. 

Qatar, 2016: QNB sees sensitive financial details published online

In April 2016, Qatar National Bank (QNB), one of the largest financial institutions in the MENA region, was hit by a severe cyberattack which revealed names, PINs and passwords of a large number of customers. The leaked data was posted online to the freedom of expression website Cryptome.

Doha News reported that the breached information, which amounted to 1.5GB, also included internal corporate files, the bank details, telephone numbers and dates of birth of a number of Al-Jazeera journalists, supposed members of the ruling al-Thani family, and government and defence officials.

Although the authenticity of all of the leaked data couldn’t be verified, a number of well-known Qatari government and media personalities told Reuters that their account details published online were correct.   

Syria, 2016: The Cyber Justice Team attacks Assad systems

A hacktivist group by the name Cyber Justice Team, which opposes President Assad and ISIS for “both trying to destroy Syrian Revolution, both killers of the Syrian people”, leaked 43GB of sensitive data online obtained from Syrian government networks on 6 April, 2016.

Infosecurity Magazine reported at the time that the data consisted of 274,000 files from 55 national and private Syrian website domains, including official government domains. Hackers were able to obtain the data by exploiting known and outdated vulnerabilities of the websites.

The hacker group tweeted after the attack that it had deleted any files related to government-run education system and the children’s hospital, supposedly to avoid leaking sensitive data about civilians.

Copyright © 2019 IDG Communications, Inc.

Survey says! Share your insights in our 19th annual State of the CIO study