DUBAI, United Arab Emirates (AP) — Qatar’s largest bank acknowledged Sunday that some personal customer data that was leaked online may be authentic, and said it has hired an outside expert to review potential vulnerabilities to its computer systems.
Files dumped online last week appeared to contain sensitive information involving thousands of Qatar National Bank customers, including bank logins, passwords, security questions and answers, credit card numbers, national identification numbers, phone numbers and email addresses. The bank previously said only that it was investigating an alleged breach.
“While some of the data recently released in the public domain may be accurate, much of it was constructed and contains a mixture of information from the attack as well as other non-QNB sources, such as personal data from social media channels,” the bank said Sunday.
“We believe the nature of this incident is fundamentally an attempted attack on QNB Group’s reputation and not specifically targeted at our customers.”
The bank has released little information about how its network was compromised. It said its risk team “monitored abnormal activity in our system environment,” and that this information was immediately shared with relevant authorities. Only a portion of its customers were affected, it said.
“We are taking every measure to protect the privacy of our customers and have engaged an external third party expert to review all our systems,” it said.
Accounts are now secure and customers will face no financial fallout from the breach, it promised, without specifying how.
Security experts say the leaked data, which purported to include government employees and members of the ruling family, appeared genuine. Several customers have told The Associated Press that information posted online was authentic.
Two experts who’ve studied the breach — Abdullah AlAli of Kuwait-based Cyberkov and Finland-based security engineer Omar Benbouazza — say hackers apparently used what is known as an SQL injection to obtain unauthorized access to hundreds of thousands of unencrypted records.
The commonly used tactic involves taking advantage of errors and misconfigurations to force servers to throw out sensitive data.
“Any kid learning about hacking can do this,” Benbouazza said.
Benbouazza said the bank was running “old and vulnerable software” on its servers while AlAli said its unusual configuration — with the main website directly connected to sensitive databases — may have made the hackers’ job easier.
In 2012, a damaging virus crippled computer systems at Qatari natural gas producer RasGas soon after a similar attack on Saudi state oil giant Saudi Aramco. Hackers later managed to steal $ 45 million using stolen card data from Rakbank in the United Arab Emirates and Oman’s Bank Muscat.
AlAli said oil-rich Gulf Arab states were belatedly waking up to the threat of cyberattack.
“It is something very new for them,” he wrote in an email. “The lack of expertise and awareness will make the coming years harder for the government and private sector.”
___
Associated Press writer Raphael Satter in London contributed to this report.
___
Follow Adam Schreck on Twitter at www.twitter.com/adamschreck