Qatar National Bank Suffers Massive BreachCustomer Details, Card Data Apparently Leaked Online
A massive collection of documents from Qatar National Bank, based in Doha, was leaked and posted online to the whistleblower site Cryptome on April 26. The leaked data, which totals 1.4 GBs, apparently includes internal corporate files and sensitive financial data for QNB's customers.
Cryptome reports that the leak comprises 15,460 files, containing details, including passwords, PINs and payment card data, for hundreds of thousands of the bank customers' accounts. Multiple experts have also examined the data, and likewise report that it appears to be legitimate. But Cryptome offered no insights into how the data was obtained, for example, if it was via an external hack attack, or an inside job.
QNB did not respond to Information Security Media Group's email request for more information. But the bank released a statement April 26 that references "social media speculation in regard to an alleged data breach," saying that "it is QNB Group policy not to comment on reports circulated via social media."
QNB, however, did comment on those reports by saying that "there is no financial impact on our clients or the bank" and that it is "further investigating this matter in coordination with all concerned parties."
Authenticity of Data
ISMG was not immediately able to verify the authenticity of the information contained in the data dump. But multiple apparent customers who were directly contacted by ISMG, using the information contained in the data dump, confirmed that the leaked information about them was accurate.
Multiple sources who have reviewed the data dump have also confirmed to ISMG that the data appears to be genuine. One researcher, speaking on condition of anonymity, also confirmed that he had successfully used leaked customer internet banking credentials from the data dump to begin logging in to the customer's account, purely for research purposes. But he said the bank's systems then sent a one-time password to the customer's registered mobile number, which would serve as a defense against any criminals who might now attempt to use the leaked data to commit fraud.
Security engineer Omar Benbouazza, an organizer of the RootedCON conference, likewise believes that leaked data is legitimate. He's analyzed the leaked documents and found that the IP addresses listed, as well as information relating to these IP addresses, plus administrator information, appeared to belong to QNB and relate to QNB's mobile banking service, hosted at apps.qnb.com and apps.qnb.com.qa.
Information expert Nitin Bhatnagar, who heads business development for cybersecurity firm SISA Information Security, also says the leaked data appears to be genuine. Based on his analysis of the leaked data, the dump contains nearly 1 million payment card numbers, along with expiration dates, credit limits, cardholder details and other account information, all stored in clear text. Also present in the dump are banking documents, including sensitive information on the bank's retail business and banking application, plus administrator-level account access details, he says.
The leak contains PII, which could have serious repercussions for customers, Bhatnagar says. A sample customer profile, for example, includes a national identification number, social media profile links, card numbers, expiry dates, logins, passwords and password-reset questions, among other data - all stored in clear text.
Intelligence Agency Reports?
Although analysis of the leaked data remains ongoing, there are reports that it contains additional, unusual information. U.K.-based digital media news site IBTimes, for example, reports that in addition to consumer data, the leaked information also includes documents with information on Qatar's Al-Thani royal family as well as the broadcaster Al Jazeera, which is partly funded by the same family.
In addition, some leaked folders are marked "Spy" and contain what appear to be intelligence dossiers on individuals, according to IBTimes. Some files contained in the dump are labeled as "MI6" - in apparent reference to the British intelligence agency - with others naming Qatar's state security bureau, known as the Mukhabarat, as well as French and Polish intelligence agencies, IBTimes reports.