INFOWATCH ANALYTICS CENTER
1
TABLE OF CONTENTS
Table of contents 2 Report findings 3 Conclusion and findings 9 Leakage monitoring on the InfoWatch website 10 Glossary 11
REPORT FINDINGS
REPORT FINDINGS
InfoWatch Analytics Center has released a report on personal data, payment details and other confidential information leaks in the Middle East (Bahrain, Jordan, Israel, Yemen, Qatar, Kuwait, Lebanon, UAE, Oman, Saudi Arabia, Syria), as well as geographically and culturally close Iraq and Iran, and Northern and North-Eastern Africa (Algeria, Egypt, Libya, Morocco, Sudan, and Tunisia) – all of which will be hereinafter together referred to as the “Middle East”. The report is based on publicly available cases, with the sampling being sufficient to compare it with the global data leakage landscape. The authors analyzed information security incidents that clearly involved data compromising, selecting approximately 60 data breaches from businesses, public organizations, and governmental agencies in the Middle East over the period from July 1, 2017, to June 30, 2018. While the global sample for the same period included 2,000+ data leaks, both reports employed the unified list of metrics, thus making the research findings comparable. The authors believe that both global and the Middle East surveys cover a maximum of 1% of all assumed leaks due to the extremely concealed nature of incidents involving data compromising. However, InfoWatch selected leak classification criteria in such a way so that each category group contained sufficient or excessive number of items (actual data leaks). This approach to survey fielding allows having theoretical sample, with the findings and trends identified in the sample being representative for the aggregate total. The InfoWatch analysts believe that the research allowed them to describe the big picture of the data breaches in the region and compare key breakdowns of global and regional leaks. This report is a valuable source of basic information for business owners, top managers, CISOs, cybersecurity system developers, and generally all those who take interest in data security.
INFOWATCH ANALYTICS CENTER
3
REPORT FINDINGS
enterprises. A relatively small share of personal data leaks in the region (29.6%) is due to the fact that neither criminals, nor media take interest in this data type, with just a few leaks having taken place (particular through external attacks) and a few personal data compromising incidents being reported.
Most data leaks in the Middle East exposed trade and state secrets The comparison of compromised information by type revealed significant difference between the global and Middle Eastern leakscapes. While almost 67% of all global incidents over the reporting period affected personal data, the majority (over 38%) of Middle Eastern data breaches compromised trade secrets and know how (Figure 1), with a significant share of state secrets being also exposed in the region.
“
Political and economic conditions in the Middle East, caused by tensions among neighboring countries, influence the big picture of data breaches. Moreover, having energy commodities as their biggest export revenue source, the Middle East countries see public uproar when information of political or technological value is compromised as a result of either external attacks on government agencies and manufacturing enterprises or malicious/negligent actions by their employees.
Sudanese Mineral Resources Company (SMRC) initiated an investigation into a trade secret leak to social media by its employee. The document compromising may affect the Ministry of Finance, Ministry of Natural Resources, and the Bank of Sudan, which all cooperate with SMRC SudanNow
DATA LEAKS External attacks IN THE MIDDLE EAST, are the main cause 2017–2018 of data breaches in the Middle East
Two thirds of all leaks from Middle East compaTypes of compromised data nies are triggered by external intruders, while
This is due to poor data loss protection of Middle East government agencies and manufacturing
Most data leaks in the Middle East exposed trade and state secrets
8.6% 6.7%
18.2%
38.6%
Globally
29.6%
Middle East
66.5%
Personal data Payment details State secret
6.8%
Trade secret, know-how
25%
Fig. 1. Types of compromised data
4
Attack vectors
DATA BREACH REPORT 2018
External attacks are the main cause of data breaches in the Middle East 37.2%
62.8%
Globally
REPORT FINDINGS
insiders account for almost the same share (62.8%) worldwide (Figure 2).
“
In Lebanon, hackers were arrested for the largest series of attacks in the country’s history. The investigation found that cybercriminals stole and sold information of private companies, public institutions, law enforcement agencies, and a major telecom carrier New Lebanon
compromised extremely sensitive data — state and trade secrets. Insider actions can lead to severe consequences, even death of people and heavy damage to national defense capability.
“
Iran has sentenced to death a person found guilty of providing information to Israel to help it assassinate several senior nuclear scientists, Tehran’s prosecutor said. At least four scientists were killed between 2010 and 2012 in what Tehran said was a program of assassinations aimed at sabotaging its nuclear energy program. Iran hanged one man in 2012 over the killings, saying he had links to Israel Reuters
DATA LEAKS IN THE MIDDLE EAST, It is important to note that many cybercriminals 2017–2018 here are politically rather than economically motivated.
“
Types of compromised data
Chafer, an Iran-based hacker group, staged a number of ambitious attacks on organizations In the Middle East, not only government agenin the Middle East, leveraging new tools such cies, but also private businesses rarely go pubMost data leaks in the Middle East exposed trade and state secrets as EternalBlue exploit which was developed lic with cybersecurity violations, and even when by the U.S. National Security Agency and prethey do, the usual case is that guilty persons 8.6% viously used as part of WannaCry and Nothave already been identified and penalized. 6.7% 38.6% 29.6% Petya cyberattacks. Chafer was focused on Personal data gathering information and espionage, hitting South Sudanese law enforcement agents arPayment details Middle 18.2% 66.5% Globally organizations in Israel, Jordan, the United rested deputy accountant State of the state-owned secret East Arab Emirates, and Saudi Arabia oil company (Nilepet) over allegations of 6.8% Trade secret, know-how Symantec leaking confidential documents regarding 25% its operations. In particular, the documents A quite small share of internally triggered data might contain information on corrupt dealleaks in the Middle East should be subject to ings within this national oil company. reasonable doubt. The majority of such incidents Sudan Tribune
“
Types of violators Attack vectors
External attackers are responsible for 73% of all recorded data breaches. Hackers are primarily interested in national strategic plans, know-how, university External attacks are the main cause of data breaches in the Middle test Eastpapers, etc. 73.2% 37.2%
47.5%
Globally Globally
62.8%
44.7%
66%
External attacks
Middle East Middle East
34% Internal offenders
19.6%
Causes of data breach
Fig. 2. Attack vectors 2.2% 5.4% 1.3% 1.8%
External Rank-and-file Top managers managers Privileged External Rank-and-file Top Privileged The vast majority of internal violations are intentionalusers offenders employees offenders employees users 68.4%
31.6%
2.9%
1.4%
Contractors Former Contractors Former INFOWATCH ANALYTICSemployees CENTER employees
Globally
5
Types of compromised data REPORT FINDINGS Most data leaks in the Middle East exposed trade and state secrets
8.6% 29.6% Rank-and-file employees are behind some 20% Personal data of leaks in the region under review, with local Payment details Middle top managers (privileged users) accounting for State secret East more incidents than their peers worldwide (5.4% 6.8% Trade secret, know-how vs. 2.2%) (Figure 4).
6.7%
38.6%
A vast majority 18.2% Globally 66.5% of internal violations are intentional
“
25%
The internal leak breakdown by intent shows In Algeria, ex member of parliament Ahmed how poorly Middle Eastern companies are proBelkasmi was sentenced to five years in tected against malicious employees. Thus, apprison for handing over stolen confidential proximately 85% of all registered incidents are information to a foreign state, including reof intentional nature here, compared to almost ports on security, economic, and political External attacks are the main cause of data breaches in the Middle East 69% of accidental leaks globally (Figure 3). matters, as well as information on health, movements, and ongoing activities of the 37.2% 62.8% Advanced security tools are, of course, more effecPresident of Algeria. Globally tive against accidental data breaches. Intentional Alyaoum24.com Middle East 66% 34% leaks are mainly recorded when made public. The External attacks Internal offenders fact that the majority of Middle Eastern leaks are External attackers are responsible for 73% of all malicious by their nature allows us to conclude that recorded data breaches. The analysis of reportlocal companies either fail to identify accidental ed data leaks shows that hackers are primarileaks using their security tools or, as we mentioned ly interested in national strategic plans, knowExternal attackers are responsible for 73% of all recorded data breaches. above, avoid going public with such incidents. how, university test papers, etc.
Attack vectors
Types of violators
Causes of data breach
Hackers are primarily interested in national strategic plans, know-how, university test papers, etc. The vast majority of internal violations are intentional 73.2%
68.4%
Globally Globally
31.6%
Types of violators 47.5%
15.4%
Middle East Middle East
84.6%
44.7%
Human error
Malicious intent
External attackers are responsible 19.6%for 73% of all recorded data breaches. 3. Causes data breach Hackers are primarily interested in nationalFig. strategic plans,ofknow-how, university test papers, etc. 5.4% 2.9% 2.2% 1.3% 1.8% 73.2% External External offenders offenders
Rank-and-file Rank-and-file employees employees
47.5%
Top managers managers Top
Globally Contractors Contractors
Privileged Privileged users users
1.4% Former Former employees employees
Middle East
44.7%
Insider leaks by sector 19.6%
5.4% Over 50% of all leaks take place in government institutions and 1.3% banks1.8% 2.2% External offenders
24.1%
19.2%
17.2%
20.4% Fig. 4.15.9% Types of violators 10.8% 10.6%
2.3%
1.4%
Middle East
Privileged users
Insider leaks by sector 11.4%
6
Rank-and-file 36.4%Top managers employees
2.9% Globally Contractors
5.2%
13.6%
Former employees
6.9%
6%
Retail Retail Globally and and HoReCa HoReCa
Municipal Municipal authorities authorities
DATA BREACH REPORT 2018
High-tech Healthcare Government Banking Education High-tech Healthcare Banking Over 50% of all leaks take placeGovernment in government institutions andEducation banks and military and finance and military and finance
Manufacturing Manufacturing and and transport transport
Middle East
REPORT FINDINGS
“
Hackers broke into an email account of a Dubai-based car dealer and altered a delivery address for four Mercedes vehicles, but officers from the Cyber Crimes Department arrested intruders and ruined their plans. Gulf News
Although their motives differ, criminals most often seek personal gain.
“
the region under review also saw more data breaches in banks (15.9%), manufacturing and transport (13.6%) sectors (Figure 5).
“
The UAE Central Bank sent a circular to local and foreign banks and finance companies operating in the UAE, declaring that credit card numbers, email addresses and mobile numbers of around 250 customers based in Dubai had been compromised. As a result, some UAE residents shared their harrowing stories about card frauds they faced after transactions at shopping malls, gas stations, and online stores. Khaleej Times
The National Security Service of Iraq arrested an 8-person gang for gaining access to confidential information, such as exam questions issued by the Ministry of Education, and then selling it on social media. External attackers are responsible for 73% of all recorded data breaches. Elaph.com Hackers are primarily interested in national strategic plans, know-how, university test papers, etc. At the same time, the Middle East recorded vir73.2% tually no leaks from the healthcare, retail, and Government and HoReCa sectors. In ourGlobally opinion, this is mainly due to the fact that neither hackers Middle East nor insiders 47.5%banks suffer over 44.7% take a great interest in these data yet. It can also 50% of all leaks be that companies operating in these sectors 19.6% simply fail to detect their data leaks, or reported There is a huge difference between global and breaches attract no 2.9% public attention for the rea2.2% 5.4% 1.4% 1.3% 1.8% Middle East leak breakdowns by industry. Thus, sons mentioned above. External Rank-and-file Top managers Privileged Contractors Former local government agencies and educational inoffenders employees users employees stitutions experienced 36% and 20% of leaks, Enterprise leak breakdown by channel differs respectively (twice as many as worldwide aver- dramatically in the Middle East and globally. The age). Moreover, compared to global statistics, network channel accounted for over 60% of data
Types of violators
Insider leaks by sector
Globally
Over 50% of all leaks take place in government institutions and banks
Middle East 36.4% 24.1% 11.4%
19.2%
17.2% 2.3%
High-tech
Healthcare
Government and military
10.8%
15.9%
Banking and finance
20.4% 10.6%
5.2%
Education
13.6%
Manufacturing and transport
6.9%
6%
Retail and HoReCa
Municipal authorities
Fig. 5. Insider leaks by sector
Data leak sources Network
INFOWATCH ANALYTICS CENTER
42.2%
61%
7
Types of violators External attackers are responsible for 73% of all recorded data breaches. Hackers are primarily interested in national strategic plans, know-how, university test papers, etc. REPORT FINDINGS
73.2%
47.5%
leaks worldwide and just44.7% 42% in the Middle East. At the same time, the shares of leaks through mobile devices and instant messengers 19.6% in the Middle East were several times larger than global figures 2.2% 5.4% (6.7% vs. 1.9% and 17.8% vs. 4.5%, respectively). Leaks as aExternal result of paper document theft/loss acRank-and-file Top managers offenders employees incidents (comcounted for some 18% of recorded pared to as little as 11% in the world) (Figure 6).
Globally
“
Middle East
Ahead of the parliamentary elections, two Lebanese embassies abroad have exposed the personal data of Lebanese voters. First, the Lebanese embassy in the UAE sent an 2.9% 1.3% 1.8% email to Lebanese residents with1.4% an attached spreadsheet containing the perPrivileged Contractors Former users sonal details of more than 5,000 employees Lebanese citizens who have registered to vote in the upcoming elections. Around the same time, the Lebanese embassy in the Hague (The Netherlands) sent a similar email to more The share of network Globally Over 50% of all leaks take place in government institutions and banks than 200 recipients. The email contained channel is half the an attached spreadsheetMiddle with East the personal worldwide size, with 36.4% data of the Lebanese voters in the Nether24.1% almost19.2% 25% of leaks lands. Moreover, the person who sent the 20.4% 17.2% 15.9% 13.6% 11.4% through mobile 10.8% email entered all the recipient addresses in 10.6% going 6.9% 6% 5.2% 2.3% the Cc field instead of using the Bcc field to devices and instant conceal these data. High-techmessengers Healthcare Government Banking Education Manufacturing Retail Municipal and military and finance and transport and HoReCa Smex.org authorities
Insider leaks by sector
Data leak sources Network
42.2% 15.7% 13.3%
10.8% 17.8%
Printed documents
IM (text, voice, video)
Equipment theft /loss
Mobile devices
Removable media
4.5%
Globally 17.8%
3.7% 2.2% 1.9% 6.7% 2.4%
Fig. 6. Data leak sources
8
DATA BREACH REPORT 2018
61%
Middle East
CONCLUSION AND FINDINGS
CONCLUSION AND FINDINGS The analysis of confidential information leaks revealed in the Middle East countries shows some key cybersecurity trends. We believe the cyber landscape in this macroregion, like nowhere else, depends on relations among its neighboring states and rather non-public nature of business in most of its countries.
ous, despite their relatively small share. Intentional data leaks that most often compromise state secrets and valuable business information account for 85% of all recorded incidents.
Indeed, as global powers are interested in the region, the Middle East also sees multiple collisions between neighboring governments. National intelligence agencies and hacker groups primarily chase military secrets, information on mission-critical infrastructure facilities, trade secrets of large companies in the Middle East and bordering countries. That is why know-how, state and trade secrets account for the largest share of data leaks here.
The analysis of publicly available cases shows that government agencies and most businesses in the Middle East lack reliable tools to protect themselves against both external and internal leaks. Security services most likely do not notice a great majority of breaches. Moreover, local organizations still have not got used to reporting data breaches. These incidents are usually considered as extraordinary political events here, with businesses and government agencies often failing to see a direct correlation between a confidential information leak and financial and reputational losses.
Note that external leaks hit the Middle East twice as often as internal ones, which may be attributed to both hyperactivity of cybercriminal groups and political motivation behind many attacks. However, for governments, businesses, and citizens, internal leaks are just as danger-
To prevent data leaks, Middle East companies need to reconsider their security approaches, including both ideology and use of particular external and insider threat protection tools that should combine Data Loss Prevention (DLP) with User and Entity Behavior Analytics (UEBA).
INFOWATCH ANALYTICS CENTER
9
LEAKAGE MONITORING ON THE INFOWATCH WEBSITE
LEAKAGE MONITORING ON THE INFOWATCH WEBSITE InfoWatch Analytics Center regularly posts Follow the leakage news, new reports, analytical data leakage reports on its website, as well and popular articles via our channels: as the most notorious incidents commented by InfoWatch experts. https://infowatch.com/subscrybe In addition, the website contains data leakage statistics for past years, available in the form of dynamic diagrams. https://www.facebook.com/InfoWatchMiddleEast
www.infowatch.com/analytics
https://twitter.com/infowatch_me
https://www.instagram.com/infowatch_me
10
DATA BREACH REPORT 2018
GLOSSARY
Information security incidents in this research mean cases of compromising confidential information as a result of data leaks and/or destructive actions by employees. Data leak means losing control over information due to external intrusion (attack), access abuse, or unauthorized access. Destructive actions by employees mean personnel actions that resulted in the compromising of confidential information, including the use of confidential information for personal needs associated with fraud; illegal access to information (abuse of access rights). Confidential information in this context means information which can be accessed by a limited number of expressly identified persons subject to its non-disclosure to third parties without the consent of an information owner. In this report, the term “confidential information” also includes personal data. Intentional/Accidental Leaks. Intentional leaks mean an information leakage when a user, who works with information, could foresee negative implications of his or her actions, knew about their illegal nature, was warned about liability, and acted for personal gain or benefit. This results in a risk of losing control over information and/or committing a confidentiality breach. In this case, it does not matter whether such user’s actions actually led to negative consequences or corporate losses. Accidental leaks mean information leakages when a user neither foresees negative implications of his/her actions, nor acts for personal benefit. In this case, it does not matter whether such user’s actions actually led to negative consequences or corporate losses. The terms “intention-
al/malicious” and “unintentional/accidental” are equal and used as synonyms herein. Attack vector means a classification criterion of intruder’s actions behind data leakage, including intruders who attack company’s web assets and IT infrastructure from the outside to compromise data, and insiders who obtain unauthorized access to classified resources and misuse confidential information, etc. Data channel means a scenario which results in the loss of control over information and a breach of its confidentiality. Currently, we identify eight separate leak channels: • Theft/loss of equipment (server, data storage, laptop, desktop), with information being compromised during maintenance or due to the loss of such equipment • Mobile devices where data leakage occurs because of unauthorized use or theft of a mobile device (smartphone, tablet) when used as part of BYOD paradigm • Removable media loss/theft (CDs, flash drives) • A network where data is leaked via a browser (sending data to personal email, filling in browser forms); unauthorized use of intranet resources, FTPs, and cloud services; and unauthorized information posting on a website • Email, with data being leaked via corporate email • Paper documents which can cause a data leakage if stored or utilized improperly (with confidential information printed, stolen, or taken out) • Instant messengers (data leakage via voice, chat, and video communications) • ‘Non-defined’ is a category used when incident details appearing in mass media do not allow for the leak channel identification.
DATA BREACH REPORT: A STUDY OF DATA LEAKS IN THE MIDDLE EAST ‘2017-2018
Headquarters
InfoWatch Labs
Vereyskaya street 29, building 33,
Level 33, Ilham Tower, No. 8, Jalan Binjai,
121357, Moscow, Russia
50450, Kuala Lumpur, Malaysia
+7 495 22 900 22, +7 499 37 251 74
+603 2117 5177, +603 2117 5178
InfoWatch Gulf
iw-global@infowatch.com
Suite 3203, 1 Lake Plaza Building, Cluster T,
www.infowatch.com
Jumeirah Lake Towers, Dubai, UAE +971 4 558 65 65
1
DATA BREACH REPORT 2018