In 2016, The Turkish hackers group, Bozkurt Hackers, broke into QNB's internal database, accessing 1.4GB of sensitive customer information. The information breached included passwords, credit card numbers, expiration dates, PINs, credit holder names, account details, credit limits, etc. of thousands of people. The leaked data allegedly included records of organizations and high-profiles, such as Al-Jazeera journalists, members of the Al-Thani family, and intelligence agencies like Mukhabarat.
The attackers broke into QNB's online banking application, by exploiting vulnerabilities in the application using SQL Injection. Due to its weak database security and encryption, they were able to bypass the internal systems and extract large amounts of sensitive data.
QNB's Risk Team quickly detected abnormal activity in its system environment and immediately communicated with relevant authorities. The bank took immediate steps to secure its systems and confirmed that all operations remained fully functional. While acknowledging that some leaked information was accurate, QNB stated that much of it was constructed and contains a mixture of information from the attack as well as other non-QNB sources, such as personal data from social media channels.
Numerous sources, however, verified that the data was legitimate. One of the users even tried to use leaked information to log into the existing account for research purposes and almost succeeded. Following, The bank assured customers that there was no financial impact thanks to safeguards such as two-factor authentication. QNB also worked with an external third-party cybersecurity expert to review its systems and encouraged its customers to stay alert and regularly update usernames and passwords.
In May 2020, a flaw in Ehteraz, Qatar's mandatory COVID-19 contact tracing app, allowed unauthorized access to data such as names, national IDs, health status, and live GPS location. The breach exposed issues in the app security due to its rushed development and poor configuration.
The app was rushed into deployment without adequate cybersecurity measures. Researchers from Amnesty International discovered that the central server lacked proper security protocols, which makes it susceptible to unauthorized access. Additionally, the app's QR code system did not require authentication, which allowed any user to generate codes for others, potentially exposing their personal data.
On May 21, 2020, an investigation by Amnesty's Security Lab discovered the critical weakness in the configuration of Qatar's EHTERAZ contact tracing app. Amnesty alerted the Qatari authorities to the vulnerability immediately, and the authorities acted swiftly and were able to resolve the issue within 24 hours.
"While the Qatari authorities were quick to fix this issue, it was a huge security weakness and a fundamental flaw in Qatar's contact tracing app that malicious attackers could have easily exploited. This vulnerability was especially worrying given the use of the EHTERAZ app was made mandatory last Friday," said Claudio Guarnieri, Head of Amnesty International's Security Lab.