QNB hack – Reiterating the i

QNB hack – Reiterating the importance of knowing one’s digital environment

In the latest report of a high profile cyber security breach of a financial institution in the region, last week it was reported that Qatar National Bank (QNB) was the victim of a hack in which personal details of many of the institution’s clients were posted on social media.

According to a report in the Financial Times, the 1.4GB leaked file includes the names and passwords of thousands of QNB customers. Subfolders within the leaked data divide individual details into further categories including staff at Al Jazeera, members of Qatar’s ruling Al-Thani family, and intelligence and defence officials.

According to a cyber security expert quoted in the Financial Times article, the breach was the work of a hacker who had gained unlawful access to QNB’s system as long ago as July 2015, this being the time the presence of a secret insertion tool was identified in a subsequent review of the log file.

Thus the hacker is believed to have been present within QNB’s system since last July, having been able to work within the environment and profile numerous customers.

QNB claims there was no direct financial loss as a result of the hack, though the cost of the reputational damage to the institution and in fact to the country is likely to be significant.

Each new breach teaches us different things and in this case, DarkMatter identifies the following key learnings:

  1. Institutions need to know and understand the scope and operations of their digital assets in order to be able to identify any abnormalities as quickly as possible. The fact that it took many months for the hacker’s presence in QNB’s system to be detected, and this only after confidential information was leaked to the public, highlights that institutions are not being aggressive enough in monitoring their data assets in order to reduce the time required to discover zero-day exploits.
  2. Given the inclusion of direct references to ‘spies’, members of government, and the media in the leaked information, one cannot rule out the possibility of the attack having been orchestrated by state-sponsored agents. Their hacking techniques may be similar to non-state-sponsored agents, though their motivations could be quite different, which makes them unpredictable and often more difficult to identify.
  3. Financial institutions remain a top target for hackers either for financial gain or to interrupt operations and embarrass organisations. Hence institutions in this sector need to develop even greater cyber security resilience in their digital systems.

DarkMatter conclusion and recommendations

This latest breach offers another insight into why institutions need to develop stronger, pro-active cyber defence postures. DarkMatter advises that institutions:

  • Keep up to date with the cyber security policy guidelines and standards in their markets of operation, as well as internationally in order to assist in shoring up their cyber defence posture against known risks.
  • Develop as much visibility about their digital assets and systems as possible in order to better understand what is going on in their environment and be able to pro-actively protect and defend assets against attack.
  • Continually evaluate the institution from a cyber security perspective, and insure as much integration as possible in order to limit security failures due to ‘weak links’ within the system.

The recommendations above are incorporated under DarkMatter’s a four-stage Cyber Security Life-Cycle approach, which encompasses planning, detection, protection, and recovery.