Huge QNB data leak 'devastating to professional reputations'

In-depth: Mis-labelling journalists and oil workers as 'spies' could lead to severe reputational damage, say privacy experts.
7 min read
28 April, 2016
The massive leak will likely have implications for months to come [AFP]
The huge leak of personal and banking details from Qatar's largest bank may have devastating consequences for several of those among the million-or-so whose data was posted online this week, according to privacy experts and legal analysts.

The details of the data breach at Qatar National Bank – dubbed "the world's strongest bank" in its advertising – are far more recent than previously suggested, The New Arab can reveal. 

The New Arab has spoken with QNB customers who opened accounts as recently as September 2015; we then subsequently found their credit card details within the data dump – undermining earlier claims that the hack had taken place in 2011, and only historic data had been published.

"It's all there," one customer told us. "It is, at most, a couple of months old."

Several QNB customers that have spoken to The New Arab since reports of the leak first broke have now withdrawn all funds, often transferring their savings inexpensively using PayPal or similar online platforms to spirit their cash away from the gas-rich Gulf state.

Spycraft and bank drafts

The data leak, while publishing basic account details – credit card numbers, expiry dates etc – of as many as a million customers, included a series of hundreds of dossiers on Qatar's royal family, police and defence establishments and several other key industries – including the Al Jazeera media network.

It categorised more than a dozen of the bank's customers, including Al Jazeera staffers, as "spies" working for international espionage agencies from Britain's MI6 to the Pentagon's Defence Intelligence Agency.

Read More: Thousands, including 'MI6 spies' have bank details leaked

All of those singled out for further intelligence-gathering have extra details compiled – including bank website passwords, reminder questions and answers, international funds transfers and so on.

More sinister, several of the dossiers include the subject's Twitter and Facebook accounts, photographs of their family, and even details of where their children attend school.

"The invasion of their privacy in this way has massive implications for their personal security, exposing them to a range of risks including fraud, blackmail, and harassment," said Privacy International Research Officer Edin Omanovic.

It has so far proven difficult to establish the entire veracity of the data in its completeness – the data dump is 1.4Gb in size, and is composed largely of unencrypted plain text files and Excel-readable .csv lists. In comparison, the contents of the Bible come to around 5Mb when stored in plain text.

That said, those customers who have spoken with The New Arab said that, while some details such as mobile phone numbers show signs of being mis-transcribed – they may be one or two numbers wrong – the essential information was all correct.

The invasion of their privacy in this way has massive implications for their personal security
- Privacy International


Stress test

Bernard Smith, a veteran Al Jazeera journalist, was one of those whose portrait photo and Twitter account had been mined by the leak's author.

"I was shocked when I saw this online. I phoned the bank, because they hadn't contacted me," he told The New Arab.

"They didn't tell me anything until I had seen it in the media. They've now advised me to change my passwords, and assured me there won't be any financial loss – but I am obviously very concerned about my personal details being made public. It's shocking to see all your details posted online."

The data in the leak covers as many
as a million customers [TheNewArab]

Smith said there had been at least four attempts to break into his account in the 24 hours after the data was dumped online.

QNB customers have for several years been able to set up an extra layer of account security involving an SMS message being sent to an account holder's phone whenever there is activity on the account, and the risk of major financial loss is small.

But it is the publishing of personal information, along with corresponding banking details, and the labelling of several customers – by whichever individual, agency or institution compiled these dossiers – that puts many at risk of phishing and other attacks, say data experts.

"Intimate details about our personal lives are now being recorded and stored by a wide range of companies and institutions," Privacy International's Omanovic told The New Arab.

"As appears to be the case here, this leaves the private details about the lives of millions of people vulnerable to hackers and to the highest bidder. Furthermore, it appears as though presumptions about customers were also made in the data. Users have a right to know about what inferences will be made about them and what those inferences are."

And those inferences may not even be correct – which may be severely damaging to a customer's reputation, if nothing else.

Imagine if an internet data leak wrongly identified you as a spy. How on earth would you convince someone that you weren't? Now imagine applying for a job in the future – only to have your would-be new boss Google your name and finding you seemingly implicated in a spy-banking scandal.

That's a job you're not getting.

At least some of the espionage inferences investigated by The New Arab are more than likely to be entirely false.

The account details within the dossier of one QNB customer labelled as an international spy, for example, reveal that their banking password was based on the name of their pet rabbit, with -123 appended.

What kind of self-respecting spy uses their pet rabbit's name as a bank password?

Assets covered

Dossiers contained within the leak were further categorised
according to significant industries and families [TheNewArab]

Several of the bank's customers told The New Arab they were wary of downloading the data themselves in case of legal repercussions in a country where internet access is subject to stringent restrictions.

Much of the data is understood to go back several years, and several of the former expats implicated have since returned to their home countries – jurisdictions in which QNB holds assets and in which courts may have more favourable attitudes towards awarding damages for breaches of data protection legislation.

QNB itself has largely kept quiet about the matter. When details of the hack first began to emerge this week, the bank published a statement online to reassure customers.

"It is QNB Group policy not to comment on reports circulated via social media," the bank said.

"QNB would like to take this opportunity to assure all concerned that there is no financial impact on our clients or the bank. QNB Group places the highest priority on data security and deploying the strongest measures possible to ensure the integrity of our customers' information. QNB is further investigating this matter in coordination with all concerned parties."

It has, however, not updated customers since Tuesday. Further requests for comment had not been responded to by time of publication.

QNB Group places the highest priority on data security
- Qatar National Bank

Next steps

It is highly unlikely that the bank itself was collecting or storing information on its customers in this way. Unencrypted plain text files are probably the least secure way imaginable to hold any data, let alone such sensitive information.

Analysts suggest it is more likely that the bank has been the target of a hacker – with either criminal or espionage intent – who scraped the data for whatever information they could muster into a series of reports for further analysis or targeting.

There is further speculation that whomever compiled such reports may not have been the person who published the data online, as such rudimentary classification of data betrays a lack of the professional discretion that may be expected from state spy agencies.

If you are a QNB customer, what should you do?

Hopefully by now, you've already changed your online banking password. You should be doing this every few months anyway. You should also change your PIN codes and ask the bank for replacements for any cards – credit or debit – that you may have, whether you use them frequently or not. If you're not from Qatar, you should also contact your international bank if you send remittances home. Close those accounts and open new ones.

A Barcelona-based computer scientist has also created this tool, which you can use to search for your Qatar residency ID, to see if you may be at risk. Please note, The New Arab does not endorse any third-party sites.

While financial losses may be mitigated, this remains probably the largest data leak in Qatar's history, and – following recent leaks from other financial and military institutions around the world – will not boost confidence in banking security.

But it is not the banking itself necessarily at fault.

The over-reach of intelligence-gathering – be it by financial or espionage agencies – is to blame, suggests Privacy International.

"These institutions should be minimising the amount of information they collect, process, and store, and taking strong steps to protect the information they do store," said the group's Edin Omanovic.

"Failure to do this makes incidents like this almost inevitable, and will concern everyone who uses the internet or passes personal information in any way to anyone."

Follow James Brownsell on Twitter: @JamesBrownsell