Beginning on February 14, 2023 - the twelfth anniversary of Bahrain’s
Arab Spring uprising - a hacktivist group identifying itself as Al-Toufan
(“The Flood”) launched a sustained, multi-wave campaign against Bahraini
government infrastructure. The first wave took Bahrain International Airport, the
Bahrain News Agency (BNA), and the Chamber of Commerce offline, while simultaneously
defacing the website of Akhbar Al Khaleej, one of Bahrain’s oldest Arabic-language
newspapers. The timing was unmistakably political: the anniversary of the 2011 Pearl
Roundabout protests that were ultimately suppressed by Saudi-led GCC intervention forces.
The campaign escalated dramatically in its second wave on November 21, 2023, after
Bahrain’s Crown Prince publicly condemned Hamas following the October 7 attacks.
Al-Toufan knocked the Foreign Ministry and Information Affairs Ministry offline and
- .critically - exfiltrated and publicly released passport scans of American
citizens and a senior Russian diplomat stationed in Bahrain, along with diplomatic card
renewal requests containing full personal identifiable information. The Bahraini
government confirmed the attacks but denied any data loss. A third wave across
2023-2024 targeted the e-visa service with website defacement, though authorities
claimed no visa applicant data was compromised.
## Key Facts
- .**What:** Multi-wave hacktivist campaign with DDoS, defacements, and data theft.
- .**Who:** Bahrain airport, ministries, news agency, and foreign diplomats.
- .**Data Exposed:** US and Russian diplomatic passport scans and accreditation documents.
- .**Outcome:** Government denied data loss despite public evidence; no enforcement.
## What Was Exposed
The Al-Toufan campaign represents a hybrid threat model that combined volumetric
disruption (DDoS), propaganda operations (defacement), and targeted data exfiltration
across multiple distinct attack waves. The most consequential exposure occurred during
the November 2023 wave, where the group published verifiable documents containing
sensitive personal data of foreign diplomats and their dependents.
- .Passport scans of American citizens resident in or transiting through Bahrain,
containing full names, passport numbers, dates of birth, nationalities, photographs,
and machine-readable zone (MRZ) data - sufficient for identity fraud and
travel document forgery
- .Passport documentation of a senior Russian diplomat stationed at the Russian
Embassy in Bahrain, exposing the identity and posting details of an accredited
foreign service officer - a significant counterintelligence concern
- .Diplomatic card renewal requests containing personal details, accreditation
status, posting duration, and potentially family member information for diplomats
and their dependents
- .Disruption of Bahrain International Airport web services during Wave 1,
potentially affecting flight information, booking services, and passenger-facing
digital infrastructure
- .Compromise and defacement of the Bahrain News Agency (BNA), the kingdom’s
official state news wire, undermining information integrity during a politically
sensitive period
- .E-visa service defacement in Wave 3, raising questions about the security of
visa applicant databases containing passport data, travel histories, biometric
photographs, and contact information of foreign nationals seeking entry to Bahrain
The diplomatic passport leak is the most significant element of this campaign from a
data protection perspective. Diplomatic documents are among the most sensitive categories
of personal data processed by any government - they identify individuals who may
be intelligence officers under diplomatic cover, reveal bilateral diplomatic relationships,
and expose individuals to targeted surveillance, harassment, or physical threats. The
publication of American and Russian diplomatic passport scans on public channels
transformed what could have been a routine hacktivist disruption campaign into an
international incident with intelligence implications.
The Bahraini government’s response - confirming the attacks while denying
data loss - is a textbook example of cognitive dissonance in breach response.
When the leaked documents are verifiable and publicly accessible, denying their
existence erodes institutional credibility faster than the breach itself. This response
pattern is particularly damaging in the diplomatic context, where the affected
governments (the United States and Russia) have independent means to verify whether
their nationals’ documents were compromised.
The operational pattern of Al-Toufan warrants analysis beyond the individual incidents.
The group demonstrated the ability to sustain operations over more than a year, with
each wave showing escalation in both technical sophistication and political targeting.
Wave 1 was primarily disruptive (DDoS and defacement). Wave 2 incorporated data
exfiltration and publication - a qualitative escalation that requires deeper
network penetration, data identification, and operational infrastructure for leak
distribution. Wave 3 maintained persistent access to government-facing services.
This escalation ladder is characteristic of groups with sustained sponsorship or
organizational infrastructure, not ad hoc hacktivist collectives.
The geopolitical context is essential for understanding the threat model. Al-Toufan’s
operations align with the strategic interests of Iran-aligned actors in the region:
the Arab Spring anniversary timing references the Shia-majority population’s
grievances against the Sunni-led monarchy, while the November 2023 escalation directly
responded to Bahrain’s foreign policy alignment with Israel and condemnation of
Hamas. Whether Al-Toufan operates independently, receives direction from state-aligned
entities, or functions as a front for a more capable actor remains unconfirmed -
but the operational tempo, escalation pattern, and target selection suggest capabilities
beyond typical hacktivist groups.
The choice to publish diplomatic documents rather than citizen or government employee
data reveals a calculated strategic logic. By exposing foreign diplomatic PII, Al-Toufan
created consequences that extend beyond Bahrain’s domestic politics: it damaged
Bahrain’s credibility as a secure posting for foreign diplomatic missions, forced
the United States and Russia to reassess the security of their in-country diplomatic
communications, and demonstrated that Bahraini government systems cannot adequately
protect the most sensitive categories of entrusted data. This is information warfare
in its most precise form - using data exposure as a strategic lever to undermine
trust in state institutions.
## Regulatory Analysis
Bahrain’s Personal Data Protection Law (PDPL), enacted as Law No. 30 of 2018
and effective since August 2019, establishes a comprehensive framework for the
protection of personal data. The Al-Toufan campaign tests this framework across
multiple dimensions: government-held data, diplomatic records, cross-border data
obligations, and the adequacy of breach notification procedures.
Article 2 of the PDPL defines its scope to include any processing of personal data
carried out by a natural or legal person in the Kingdom of Bahrain. Government
ministries and agencies are not exempted from this scope, meaning the Foreign
Ministry’s processing of diplomatic documents, the Information Affairs
Ministry’s operations, and the e-visa service’s processing of applicant
data all fall squarely within the PDPL’s jurisdiction. The question is not
whether the PDPL applies but whether it was enforced.
Article 8 requires data controllers to implement appropriate technical and
organizational security measures proportionate to the sensitivity of the data
processed. Diplomatic passport scans and accreditation documents represent some
of the most sensitive personal data categories imaginable - they identify
individuals who serve in official government capacities abroad and whose exposure
may create physical security risks. The fact that these documents were exfiltrated
and published suggests that the Foreign Ministry’s technical security measures
were manifestly inadequate for the sensitivity of the data they were entrusted to
protect. A ministry that processes diplomatic credentials should maintain security
controls at least equivalent to classified information handling standards, including
air-gapped storage for biometric documents, strict access controls, and real-time
monitoring of any access to diplomatic record databases.
Article 12’s breach notification requirements are directly engaged by the
Wave 2 data exfiltration. The publication of passport scans and diplomatic card
renewal requests constitutes an unambiguous personal data breach under any reasonable
interpretation of the PDPL. The government’s denial of data loss, in the face
of publicly accessible leaked documents, raises serious questions about whether
notification obligations were fulfilled - either to the Personal Data Protection
Authority or to the affected foreign nationals whose passport data was compromised.
Under Article 12, the obligation to notify arises upon becoming aware that a breach
has occurred, not upon the controller’s willingness to acknowledge it.
The cross-border dimension introduces additional complexity. The affected data subjects
include American and Russian citizens whose personal data was processed by Bahraini
government entities. While the PDPL does not establish the same robust cross-border
transfer mechanisms as the EU’s GDPR, the international diplomatic implications
of exposing foreign nationals’ data create de facto obligations that transcend
the PDPL’s territorial scope. The United States government, in particular, has
established expectations for the protection of its nationals’ data by foreign
governments, and the exposure of American passport scans by a hacktivist group
exploiting Bahraini government systems has bilateral diplomatic consequences that
no domestic data protection law can fully address.
The maximum penalty under the PDPL - BD 20,000 (approximately $53,000 USD) -
is a rounding error in the context of a multi-wave campaign that compromised multiple
government ministries, exposed diplomatic credentials, and damaged Bahrain’s
international reputation as a secure diplomatic posting. No public enforcement action
has been reported against any government entity involved in the Al-Toufan incidents.
This pattern of non-enforcement against government bodies creates a two-tier regulatory
system where the PDPL functions as a constraint on private-sector data processing while
remaining effectively unenforceable against the state entities that process the most
sensitive categories of personal data.
## What Should Have Been Done
The multi-wave nature of the Al-Toufan campaign means that the Bahraini government had
multiple opportunities to harden its infrastructure after Wave 1 and prevent the more
damaging Waves 2 and 3. The failure to do so suggests either inadequate incident response
processes, insufficient investment in remediation, or a fundamental underestimation of
the threat actor’s persistence and escalation trajectory.
After Wave 1 in February 2023, the government should have immediately conducted a
comprehensive security assessment across all internet-facing government infrastructure.
When a threat actor successfully disrupts multiple government websites simultaneously,
the correct assumption is that additional access vectors exist and that the group will
return. A full audit of all government web applications, APIs, and public-facing services
should have been completed within 30 days of the initial wave, with prioritized
remediation of any critical or high-severity vulnerabilities. This assessment should
have included penetration testing of the Foreign Ministry’s systems, given the
politically motivated nature of the campaign and the sensitivity of diplomatic data.
Diplomatic records - including passport scans, accreditation documents, and
visa applications - should never be accessible from internet-facing systems.
These documents should be stored in isolated, air-gapped environments with strict
role-based access controls, multi-factor authentication, and comprehensive audit
logging of every access event. The document management system should implement
data-at-rest encryption with hardware security module (HSM)-managed keys, ensuring
that even if an attacker breaches the network perimeter, the documents remain
encrypted and inaccessible without the corresponding cryptographic keys. The fact
that Al-Toufan was able to exfiltrate readable passport scans suggests these
documents were stored in plaintext or in systems accessible from the compromised
network segments.
DDoS mitigation should have been deployed across all government web properties
following Wave 1. Commercial DDoS mitigation services from providers such as
Cloudflare, Akamai, or AWS Shield can absorb volumetric attacks that would
otherwise overwhelm government-hosted infrastructure. For critical services like
airport information systems and news agencies, always-on DDoS protection (rather
than on-demand scrubbing) should be the baseline configuration. The fact that
Wave 2 and Wave 3 were still able to take government sites offline months after
the initial attacks suggests that no meaningful DDoS mitigation was implemented
between waves.
Web application firewalls (WAFs) with virtual patching capabilities should have
been deployed to protect against the exploitation techniques used for website
defacement and data exfiltration. The e-visa service defacement in Wave 3 is
particularly concerning because visa application systems process structured
personal data (names, passport numbers, travel histories, biometric photos) that
is far more valuable than the website content itself. A properly configured WAF
with behavioral analysis rules would detect and block the anomalous request
patterns characteristic of SQL injection, file inclusion, and other web
application exploitation techniques typically used in defacement campaigns.
The government should have established a centralized security operations center
(SOC) with unified visibility across all government ministry networks. The
Al-Toufan campaign exploited the fact that each ministry likely operated its
own IT infrastructure with inconsistent security controls and no centralized
monitoring. A national government SOC would provide the correlation capabilities
needed to detect a campaign targeting multiple ministries simultaneously, enable
coordinated incident response, and ensure that lessons learned from each wave
are immediately applied across all government entities. Bahrain’s National
Centre for Cyber Security (NCCS) should have served this function, but the
multi-wave success of Al-Toufan suggests its operational capabilities were
insufficient to protect the government attack surface.
Finally, the government’s public communications strategy should have been
honest and transparent. Denying data loss when leaked documents are publicly
verifiable does not protect national security - it accelerates reputational
damage and undermines citizen and international trust in government institutions.
A credible incident response communication should have acknowledged the breach,
detailed the scope of affected data, described the remediation measures being
implemented, and offered concrete assurances to the affected foreign nationals
whose diplomatic documents were exposed. The diplomatic community expects
professionalism in breach response, not denial.
The Al-Toufan campaign demonstrated that sustained hacktivist operations can
achieve strategic impact against a nation-state when that state fails to learn
from each successive attack wave. The exfiltration and publication of diplomatic
passport scans transformed a hacktivist disruption campaign into an international
incident with intelligence and foreign policy consequences. Under Bahrain’s
PDPL, the government’s denial of data loss - contradicted by publicly
available evidence - represents a failure of both breach notification
obligations and institutional accountability. The BD 20,000 maximum penalty is
irrelevant when the regulator declines to act against the state entities it is
mandated to oversee.