The big story this week is around the “alleged” Data breach of Qatar National Bank (QNB). The attack came as a bolt from the blue with the attackers releasing a massive data-dump of over 1.5GB on the open internet. The file was available for a short while as a zip file that could be downloaded by all who could find it. While it isn’t clear if this is the entire dataset extracted from QNB, the data exposed on the internet is a significant quantum of data that has had the obvious effect. I am sure that customers of the bank would be “running for the hills” as several details concerning customers, especially high-profile customers have been released on the internet, including their account information, financial transfers and so on.
I have had a look at the data dumps from the breach and they are not pretty. Here’s what I think happened and what other companies can learn from this breach.
Poor Data Protection
As per reports, Attackers have definitely used SQL Injection as one of the modes of attack. There have been clear logs from tools like SQLmap that have been run against a Java web application that is querying an Oracle Database. The SQL Injection seems to have been trivially exploited with UNION queries being used to exploit the SQL Injection and extract a ton of data from the back-end Oracle Database.
Abhay Bhargav
Abhay is an Information Security evangelist. He has authored “PCI Compliance, a Definitive Guide” published by CRC Press New York. Abhay is also a regular speaker in Industry events including OWASP, Oracle OpenWorld, JavaOne, ISACA, NASSCOM and so on. He has performed security assessments for enterprises across domains of Banking, ITES and Telecom and also led security assessments for the Payment Card Industry Compliance (PCI-DSS) as a QSA.
