IBTimes are reporting that 1.4GB of internal documents, files and sensitive financial data from the Qatar National Bank (QNB) has been leaked online. This contains hundreds of thousands of records including customer transaction logs, personal identification numbers and credit card data. Additionally, dozens of separate folders consist of information on everything from Al Jazeera journalists to British spies and the Al-Thani Qatar Royal Family. Security experts from AlienVault, ESET and MIRACLE commented on this news below.
Javvad Malik, Security Advocate at AlienVault:
“Unfortunately, this is another example of a business being completely unaware of the fact that it had been breached and masses of highly sensitive information exfiltrated. Regardless of whether the breach was caused by an outsider or an insider, detection controls are imperative to alerting on such events where sensitive information is accessed or large transfers are made.
It appears as if not only the breach went undetected, but it remained undetected until the attacker chose to make the information public. It raises the worrying question as to how many other organisations have been breached and data exfiltrated that have not been made aware, or never will.”
Mark James, Security Specialist at ESET:
“If this data turns out to be legit it’s a very scary amount of extremely personal and damaging information that could be used in many ways. Apart from the obvious names and addresses, ID numbers, CC data, transaction logs etc. that could be used for identity theft, there seems to be a wealth of data that could be used in much darker activities.
Privacy these days is very fast becoming a luxury that fewer and fewer people have but when this type of data goes missing and it could potentially affect people’s lives and indeed their safety it’s a completely different ball game. The usual questions I am sure will be asked as to why this data is not segregated, why is it stored in apparently blatant easily definable folders and of course was it encrypted, not that being encrypted will make a difference if the actual user account has been compromised and authenticated through a valid login but these questions should be asked just for clarity.”
Brian Spector, CEO at MIRACL:
“This is what a bank heist looks like in the current climate of cybercrime. Rather than stealing money, hackers go after these huge treasure troves of sensitive data which can then be sold on in the billion-dollar business of identity fraud.
All too often, bad actors orchestrate attacks of this magnitude by stealing employee credentials – usually just username and password. Attackers know that when a password, irrelevant of how complex the password may be, is successfully stolen, the attacker can get access to internal systems and work their way to sensitive information – and steal it all.
The underlying issue is that the username and password system is old technology that is not up to the standard required to secure the deep information and private services that companies and individuals store and access online today. In order to retain their customers’ trust, online services need to remove the password from their systems altogether, and implement rigorous authentication technologies.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.