DUBAI, United Arab Emirates – Qatar’s largest bank is investigating a security breach that appears to have exposed sensitive personal data for what could be hundreds of customers, including employees of international broadcaster Al-Jazeera and potentially senior government officials.
Qatar National Bank acknowledged in an emailed statement Wednesday that it was looking into “an alleged data breach” after a file containing the purported account information began circulating online. The bank did not say whether information in the files was legitimate or if its network had been breached, citing a policy of not commenting on reports shared on social media.
Four people identified in the files and reached by The Associated Press confirmed their personal information was authentic.
The files are not uniform, but in many cases contain bank customers’ bank logins, passwords, security questions and answers, Qatari national identification numbers, phone numbers and email addresses.
“Everything that they had was correct,” said Gordon Hickey, who used to work for Al-Jazeera and now works as a freelancer in Ireland. “It’s a complete personal breach. It’s awful.”
The bank said it was co-ordinating with “all concerned parties” to investigate the matter and offered its assurance that there would be no financial impact for its clients or the bank.
“QNB Group places the highest priority on data security and deploying the strongest measures possible to ensure the integrity of our customers’ information,” it said.
The data dumped online was organized into nine folders, with names including “Al-Jazeera,” ”Police, Security,” ”Defence and etc” and “Mukhabarat” — the Arabic name for intelligence services. It also included a folder named “Al-Thani,” the name of Qatar’s ruling family, which purported to include details on many of its members.
Al-Jazeera said its online security division has sent a message to all staff assuring them that its own internal networks have not been compromised.
“Our staff have been recommended to be vigilant, be prudent and change passwords for those who bank with QNB and report any suspicious activity,” Al-Jazeera said in a statement.
Qatar’s government communication office did not immediately respond to a request for comment.
One victim, Oliver Huxter, said he feared his information had been compromised three weeks ago when he received a suspicious text message containing private banking details. He has changed his password and other security details since, but said he now has little faith left in the bank despite years of loyalty.
“My real concern, which I think will be the concern of a lot of people, is the amount of information that’s included in there,” he said. “I’m shocked that this has happened.”
It is unclear if all of the data posted online originated from the bank itself.
Some of the files included customers’ social media accounts and other details a bank would be unlikely to request. Several were marked “SPY.” In a few cases, banking details were accompanied by photos of alleged customers and even family members.
QNB is one of the most prominent brands in Qatar, a tiny but energy-rich nation jutting off the eastern side of the Arabian Peninsula that will host the 2022 World Cup. The bank, which is half-owned by a government investment fund, counts operations in 27 countries on three continents.
In 2012, computer systems at Qatari natural gas producer RasGas were struck by a damaging virus soon after a similar attack on Saudi state oil giant Saudi Aramco. Cybersecurity experts suspected Iranian hackers were involved in those attacks.
Follow Adam Schreck on Twitter at www.twitter.com/adamschreck