Cybersecurity Research
August 12, 2022
Qatar National Bank Data Breach
In 2016, 1.4 GB worth of data from Qatar National Bank was leaked. Hundreds of thousands
of customers’ passwords, card details and PINs were posted on Cryptome, a document archive
website. It was not only customers whose details were leaked but also members of the
Al-Thani royal family and Al Jazeera Journalists. How the attackers were able to access
the data is not known, or at least has not been reported to the public according to the
article I read. Moreover, the articles I read were written at the time of the incident and
all said that ‘QNB is currently investigating’ but I could not find anything on the results
of that investigation.
EHTERAZ App Security Flaw
According to the articles I’ve read, EHTERAZ was not actually hacked but was hackable.
Fortunately, the security flaw was discovered by Amnesty International, an international
NGO, who informed the Qatari government of it and the security weakness was promptly fixed,
although it is possible the data could have already been taken before the flaw was discovered.
The organization found in its investigation that the app used the national ID of a user to
request the corresponding QR code from the central server. However, there was no
authentication when conducting this process and so anyone would have been able to request
any EHTERAZ user’s QR code. The data in the QR code includes the user’s name, quarantine
location and the name of the medical facility at which the user was being treated for COVID.
Links to sources used:
bankinfosecurity.com article on QNB Data Breach
meed.com article on QNB Data Breach
Amnesty International article on EHTERAZ Security Flaw
Further Reading:
Qatari Gas Company RasGas Hit by a Virus
Qatar State News Agency Website Hacked
Al Jazeera Media Network Subjected to Cyber-Attacks