IBTimes are reporting that 1.4GB of internal documents, files and sensitive financial data from the Qatar National Bank (QNB) has been leaked online. This contains hundreds of thousands of records including customer transaction logs, personal identification numbers and credit card data. Additionally, dozens of separate folders consist of information on everything from Al Jazeera journalists to British spies and the Al-Thani Qatar Royal Family. Security experts from AlienVault, ESET and MIRACLE commented on this news below.
Javvad Malik, Security Advocate at AlienVault:
“Unfortunately, this is another example of a business being completely unaware of the fact that it had been breached and masses of highly sensitive information exfiltrated. Regardless of whether the breach was caused by an outsider or an insider, detection controls are imperative to alerting on such events where sensitive information is accessed or large transfers are made.
It appears as if not only the breach went undetected, but it remained undetected until the attacker chose to make the information public. It raises the worrying question as to how many other organisations have been breached and data exfiltrated that have not been made aware, or never will.”
Mark James, Security Specialist at ESET:
“If this data turns out to be legit it’s a very scary amount of extremely personal and damaging information that could be used in many ways. Apart from the obvious names and addresses, ID numbers, CC data, transaction logs etc. that could be used for identity theft, there seems to be a wealth of data that could be used in much darker activities.
Privacy these days is very fast becoming a luxury that fewer and fewer people have but when this type of data goes missing and it could potentially affect people’s lives and indeed their safety it’s a completely different ball game. The usual questions I am sure will be asked as to why this data is not segregated, why is it stored in apparently blatant easily definable folders and of course was it encrypted, not that being encrypted will make a difference if the actual user account has been compromised and authenticated through a valid login but these questions should be asked just for clarity.”
Brian Spector, CEO at MIRACL:
“This is what a bank heist looks like in the current climate of cybercrime. Rather than stealing money, hackers go after these huge treasure troves of sensitive data which can then be sold on in the billion-dollar business of identity fraud.
All too often, bad actors orchestrate attacks of this magnitude by stealing employee credentials – usually just username and password. Attackers know that when a password, irrelevant of how complex the password may be, is successfully stolen, the attacker can get access to internal systems and work their way to sensitive information – and steal it all.
The underlying issue is that the username and password system is old technology that is not up to the standard required to secure the deep information and private services that companies and individuals store and access online today. In order to retain their customers’ trust, online services need to remove the password from their systems altogether, and implement rigorous authentication technologies.”
Most Commented Posts
2020 Cybersecurity Landscape: 100+ Experts’ Predictions
Cyber Security Predictions 2021: Experts’ Responses
Experts’ Responses: Cyber Security Predictions 2023
Celebrating Data Privacy Day – 28th January 2023
Data Privacy Protection Day (Thursday 28th) – Experts Comments
Most Active Commenters
Meta’s fine over data privacy breaches underscores the critical challenges…
Hi, Thanks, that is really useful information. I do have…
“This is a very worrying attack that hit T-Mobile and…
“This latest cyberattack against T-Mobile may be smaller than previous…
“Genesis Market is a complex global criminal access marketplace. Buyers…