Incident & Breach Response , Managed Detection & Response (MDR) , Security Operations

Qatar National Bank Suffers Massive Breach

Customer Details, Card Data Apparently Leaked Online
Qatar National Bank Suffers Massive Breach

A massive collection of documents from Qatar National Bank, based in Doha, was leaked and posted online to the whistleblower site Cryptome on April 26. The leaked data, which totals 1.4 GBs, apparently includes internal corporate files and sensitive financial data for QNB's customers.

See Also: Hunt Cloud Threats or Be Hunted | CISO Guide to Cloud Compromise Assessments

Cryptome reports that the leak comprises 15,460 files, containing details, including passwords, PINs and payment card data, for hundreds of thousands of the bank customers' accounts. Multiple experts have also examined the data, and likewise report that it appears to be legitimate. But Cryptome offered no insights into how the data was obtained, for example, if it was via an external hack attack, or an inside job.

QNB did not respond to Information Security Media Group's email request for more information. But the bank released a statement April 26 that references "social media speculation in regard to an alleged data breach," saying that "it is QNB Group policy not to comment on reports circulated via social media."

QNB, however, did comment on those reports by saying that "there is no financial impact on our clients or the bank" and that it is "further investigating this matter in coordination with all concerned parties."

Authenticity of Data

ISMG was not immediately able to verify the authenticity of the information contained in the data dump. But multiple apparent customers who were directly contacted by ISMG, using the information contained in the data dump, confirmed that the leaked information about them was accurate.

Multiple sources who have reviewed the data dump have also confirmed to ISMG that the data appears to be genuine. One researcher, speaking on condition of anonymity, also confirmed that he had successfully used leaked customer internet banking credentials from the data dump to begin logging in to the customer's account, purely for research purposes. But he said the bank's systems then sent a one-time password to the customer's registered mobile number, which would serve as a defense against any criminals who might now attempt to use the leaked data to commit fraud.

Security engineer Omar Benbouazza, an organizer of the RootedCON conference, likewise believes that leaked data is legitimate. He's analyzed the leaked documents and found that the IP addresses listed, as well as information relating to these IP addresses, plus administrator information, appeared to belong to QNB and relate to QNB's mobile banking service, hosted at and

Information expert Nitin Bhatnagar, who heads business development for cybersecurity firm SISA Information Security, also says the leaked data appears to be genuine. Based on his analysis of the leaked data, the dump contains nearly 1 million payment card numbers, along with expiration dates, credit limits, cardholder details and other account information, all stored in clear text. Also present in the dump are banking documents, including sensitive information on the bank's retail business and banking application, plus administrator-level account access details, he says.

The leak contains PII, which could have serious repercussions for customers, Bhatnagar says. A sample customer profile, for example, includes a national identification number, social media profile links, card numbers, expiry dates, logins, passwords and password-reset questions, among other data - all stored in clear text.

Intelligence Agency Reports?

Although analysis of the leaked data remains ongoing, there are reports that it contains additional, unusual information. U.K.-based digital media news site IBTimes, for example, reports that in addition to consumer data, the leaked information also includes documents with information on Qatar's Al-Thani royal family as well as the broadcaster Al Jazeera, which is partly funded by the same family.

In addition, some leaked folders are marked "Spy" and contain what appear to be intelligence dossiers on individuals, according to IBTimes. Some files contained in the dump are labeled as "MI6" - in apparent reference to the British intelligence agency - with others naming Qatar's state security bureau, known as the Mukhabarat, as well as French and Polish intelligence agencies, IBTimes reports.

About the Author

Varun Haran

Varun Haran

Managing Director, Asia & Middle East, ISMG

Haran has been a technology journalist in the Indian market for over six years, covering the enterprise technology segment and specializing in information security. He has driven multiple industry events such as the India Computer Security Conferences (ICSC) and the first edition of the Ground Zero Summit 2013 during his stint at UBM. Prior to joining ISMG, Haran was first a reporter with TechTarget writing for SearchSecurity and SearchCIO; and later, correspondent with InformationWeek, where he covered enterprise technology-related topics for the CIO and IT practitioner.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.