Stephen Bailey, who leads the cyber security team in PA Consulting’s technical security practice, is quoted in an article in Gulf News. The article talks about Qatar National Bank’s cyber attack in which 1.4GB of sensitive customer data was taken and published online.
The article explains that data including transaction logs and personal data including that relating to a number of Al Jazeera journalists and the Qatari royal family, was taken.
Stephen explains how important it is for regional institutions to take additional steps to protect their key data. He says: “Going by the motivation of financial gains, GCC region and the regional financial institutions could be more vulnerable because of the high concentration of wealthy individuals in the region. In the light of the increasing attacks it is important for regional institutions to take additional steps to protect their key data.”
He goes on to talk about the motive of the Qatar Nationak Bank hacking which he says can’t be pinpointed at this stage: “Although the bank has claimed it is an attack on its reputation, there could be a “financial angle” as these professional hackers are hired by someone with a motive, which could be from tarnishing someone’s reputation to making financial gains from personal data of customers. But at this stage, it is difficult to believe anyone hacking into a bank’s data system just for defaming the institution.”
Stephen goes on to say: “The strangest part of the QNB incident is that the hackers reportedly had access to the bank’s data systems for a fairly long period – by some accounts about 200 days – and the bank’s security system could not detect it until they made off with 1.4GB of data, and worse, the bank came to know of it when some of the data was published.”
Stephen explains that most of the time vulnerabilities in security systems occur when modifications are done to existing websites and applications. “Institutions must get their basics right in securing their critical data,” says Stephen.
Stephen concludes by warning that there needs to be more care taken when modifications or new modules to the existing data system is introduced. “There needs to be classification of data at various levels, the storing and securing should be done according to the importance of these data,” he says.