In June 2018, Lebanese authorities arrested Khalil Sehnaoui, the prominent founder and CEO of Krypton Security, a Beirut-based cybersecurity firm.
” Sehnaoui and two associates were charged with breaching Ogero Telecom (the state ISP), the Interior Ministry, the Ministry of Economy, the Internal Security Forces (ISF), General Security, the Lebanese Armed Forces, two telecommunications companies, multiple banks, and Rafic Hariri International Airport’s systems.
The case exposed the catastrophic state of cybersecurity across Lebanon’s most sensitive government and private-sector institutions.
## Key Facts
- .**What:** Cybersecurity CEO breached Lebanon's ISP, banks, military, and airport systems.
- .**Who:** Ogero, Interior Ministry, banks, airport, and security agencies compromised.
- .**Data Exposed:** Criminal records, airport travel logs, banking data, and telecom intercepts.
- .**Outcome:** Khalil Sehnaoui arrested; tried in military court with limited transparency.
## What Was Exposed
- .Banking credentials and financial records from multiple Lebanese financial institutions
- .Criminal records and investigative case files from the Internal Security Forces (ISF) databases
- .Airport travel logs from Rafic Hariri International Airport, including passenger manifests and entry/exit records
- .Telecom intercept capabilities and communication surveillance data from Ogero and two private telecommunications carriers
- .Interior Ministry records including citizen registration data and identification information
- .Ministry of Economy commercial and trade records
- .General Security intelligence data, including files related to foreign nationals and refugees in Lebanon
- .Lebanese Armed Forces internal communications and personnel data
The breadth of the compromise was unprecedented in Lebanon. The targets were not random-they constituted the core infrastructure of the Lebanese state.
Ogero Telecom, as Lebanon’s state-owned internet service provider, serves as the backbone of the country’s internet infrastructure.
Access to Ogero’s systems potentially provided visibility into internet traffic patterns, subscriber data, and the infrastructure used for lawful interception by security agencies.
The compromise of the ISP was not merely a data breach but a potential intelligence goldmine granting access to the country’s entire digital communications infrastructure.
The ISF and General Security breaches were particularly alarming from a national security perspective. The Internal Security Forces maintain criminal records, ongoing investigation files, and intelligence databases related to domestic security threats.
General Security, which handles immigration, counterintelligence, and the monitoring of foreign nationals in Lebanon, holds some of the country’s most sensitive intelligence data.
Access to these systems would provide comprehensive visibility into Lebanon’s security operations, ongoing investigations, and intelligence priorities.
The airport system compromise added a physical security dimension to the digital breach.
Access to Rafic Hariri International Airport’s systems would reveal passenger travel patterns, airline manifests, and potentially the identities of individuals under travel monitoring by security agencies.
This information could be exploited to track the movements of specific individuals, identify undercover operatives traveling through Beirut, or facilitate illegal border crossings by circumventing watchlist checks.
The case was handled by Lebanon’s military court system rather than civilian courts, a decision that restricted public access to proceedings and limited transparency about the technical details of the intrusions.
The military tribunal’s jurisdiction was invoked because several of the compromised entities-the Lebanese Armed Forces, General Security, and ISF-fall under military justice authority when matters of national security are involved.
This jurisdictional choice also meant that the civilian data protection concerns raised by the breach of banking records, telecom data, and citizen registration information received less attention than the national security dimensions.
What made the Krypton case particularly disturbing was the identity of the alleged perpetrator. Khalil Sehnaoui was not an anonymous hacker operating from the shadows.
He was one of Lebanon’s most visible cybersecurity professionals, a regular speaker at international conferences, a media commentator on digital security issues, and the head of a firm that ostensibly helped organizations defend against exactly the kind of attacks he was accused of conducting.
The case raised fundamental questions about the insider threat posed by security professionals who possess both the technical skills and the institutional trust to compromise the organizations they serve.
The investigation also revealed that the breaches had occurred over an extended period spanning 2017 and 2018, suggesting that the compromised institutions either lacked the monitoring capabilities to detect unauthorized access or were aware of anomalies and failed to investigate them adequately.
The sustained nature of the access meant that the amount of data potentially exfiltrated was not limited to a snapshot but could include months or years of records, communications, and intelligence data.
## Regulatory Analysis
The Krypton Security case fell in a regulatory gap. The arrests occurred in June-July 2018, and Law No. 81 on Electronic Transactions and Personal Data was enacted in October 2018-just months later.
At the time of the alleged offenses, Lebanon relied primarily on the Penal Code and Law No. 140 of 1999 on telecommunications secrecy for any legal framework applicable to unauthorized access to computer systems.
The prosecution proceeded under criminal statutes rather than data protection provisions, which meant the focus was on the unauthorized access itself rather than on the protection of the millions of data subjects whose personal information was compromised.
Banking customers whose credentials were stolen, citizens whose criminal records were exposed, travelers whose airport logs were accessed, and telecom subscribers whose communications data was compromised were treated as background elements in a criminal case rather than as data subjects with independent rights to notification, remediation, and protection.
Had Law No. 81 been in effect and had a Data Protection Authority existed at the time, the regulatory response should have included several parallel actions.
Each compromised entity-Ogero, the banks, the ministries, and the airport-would have had obligations to assess the scope of personal data compromised and to notify affected individuals.
Article 97 of Law No. 81 establishes principles of lawful processing, and the failure to secure personal data against unauthorized access constitutes a violation of these principles regardless of whether the entity was the victim of a hack.
Data controllers bear responsibility for the security of the personal data they hold, even when the breach is caused by a third party.
The absence of a DPA meant there was no independent authority to demand transparency from the compromised institutions, to assess the adequacy of their security measures before the breach, or to mandate remediation measures afterward.
The military court proceedings, with their inherent secrecy, ensured that the public never received a full accounting of what data was compromised, how many individuals were affected, or what steps were taken to prevent future intrusions.
In a country with a functioning DPA, the data protection investigation would proceed independently of the criminal prosecution, ensuring that victims’ data protection rights were addressed regardless of the outcome of criminal proceedings.
The Krypton case also highlights the absence of any cybersecurity incident reporting framework for critical infrastructure in Lebanon.
None of the compromised entities-not Ogero, not the banks, not the airport, not the government ministries-had any legal obligation to publicly disclose the breach or to notify affected individuals.
This stands in stark contrast to jurisdictions with comprehensive data protection frameworks, where breaches of this magnitude would trigger mandatory notification requirements with strict timelines.
## What Should Have Been Done
The Krypton case exposed systemic failures in cybersecurity governance across Lebanon’s most critical institutions. The first and most fundamental failure was the lack of access controls and monitoring on sensitive government and infrastructure systems.
The fact that an external actor could compromise Ogero, multiple government ministries, security agencies, banks, and airport systems suggests either that these organizations shared common infrastructure vulnerabilities, or that the attacker leveraged access to one system to pivot to others through interconnected networks.
Network segmentation should have prevented the lateral movement between systems that the breach pattern suggests. Government ministries, security agencies, telecommunications infrastructure, and banking systems should not be accessible from a common attack surface.
Each critical system should operate in a segmented network environment with strict controls on inter-network communications and mandatory authentication at each boundary.
Privileged access management (PAM) solutions should have been deployed across all critical systems, with all administrative access logged, monitored, and subject to multi-factor authentication.
The fact that the alleged attacker was a cybersecurity professional who may have had some degree of legitimate access to certain systems makes PAM controls even more critical.
Just-in-time access provisioning, session recording, and anomaly detection on privileged accounts could have identified unauthorized access patterns even from a trusted insider.
The banking sector’s involvement demands particular attention. BDL should have required banks to implement security operations center (SOC) capabilities with 24/7 monitoring for unauthorized access to critical systems.
The compromise of banking credentials suggests that the attacker accessed backend systems rather than simply harvesting customer-facing login data.
Banks should have deployed database activity monitoring solutions that alert on unusual queries against credential stores and customer databases.
At the national level, Lebanon should have established a centralized cybersecurity incident response authority responsible for coordinating across government agencies and critical infrastructure operators.
The absence of such an authority meant that each compromised entity responded (or failed to respond) independently, without the benefit of threat intelligence sharing, coordinated forensics, or unified remediation efforts.
The case also underscores the need for vetting and continuous monitoring of individuals
with privileged access to critical systems. Background checks, periodic security
clearance reviews, and behavioral analytics for privileged users are standard practices
in countries with mature cybersecurity governance. Lebanon’s failure to implement
these measures at the institutional level left its most sensitive systems vulnerable
to insider threats.
The handling of the case through military courts rather than civilian proceedings
created a transparency deficit that undermines accountability. In jurisdictions
with robust data protection frameworks, the civilian DPA investigation would proceed
in parallel with any criminal proceedings, ensuring that the data protection rights
of affected individuals are addressed regardless of the criminal case’s outcome.
The military tribunal’s closed proceedings meant that the Lebanese public never
received a full accounting of which systems were compromised, how many individuals’
data was exposed, or what remedial actions were taken by the affected institutions.
For the millions of Lebanese citizens whose data resided in the compromised systems-anyone
with a criminal record in the ISF database, anyone who traveled through Beirut airport,
anyone who used Ogero internet services, anyone with accounts at the affected banks-the
breach potentially touched a significant portion of the national population. These
individuals were never notified, never given the opportunity to assess their personal
risk, and never offered any remediation. The absence of a breach notification framework
meant that the government effectively decided, on behalf of millions of data subjects,
that they did not need to know their data had been stolen.
The Krypton case also exposed the irony of Lebanon’s cybersecurity ecosystem.
The country’s most prominent cybersecurity firm was allegedly the source of its
most devastating hack. This paradox highlights the danger of concentrating trust
in individual security practitioners without institutional verification mechanisms.
The cybersecurity industry globally relies on a foundation of trust-organizations
grant security consultants extraordinary access to their systems based on professional
reputation and certifications. The Krypton case demonstrates what happens when that
trust is misplaced and no institutional safeguards exist to detect or prevent its abuse.
The Krypton Security case demonstrated that Lebanon’s critical infrastructure-from its state ISP to its airport, from its banking sector to its intelligence agencies-could be comprehensively compromised by a single actor.
The country’s law on data protection was enacted months after the arrests but remains unimplemented in practice.
Without a DPA, without mandatory breach notification, and without a national cybersecurity authority, Lebanon’s citizens have no mechanism to learn when their most sensitive data has been compromised or to hold institutions accountable for failing to protect it.