In two separate incidents in 2022 and 2023, the Lebanese Ministry of Education and Higher Education exposed the personal data of approximately 83,000 students and teachers through its own negligence rather than any external attack.
In 2022, the results of the Brevet official examinations for approximately 56,000 students were published with full personally identifiable information, including names, phone numbers, and email addresses alongside exam scores.
In 2023, the ministry published a spreadsheet containing the records of approximately 27,000 teachers on its official website, including names, bank account numbers, salary information, and marital status. The teachers’ data was subsequently shared widely via WhatsApp groups.
Both incidents were documented by SMEX, Lebanon’s leading digital rights organization, and resulted in zero enforcement action under Law No. 81.
## Key Facts
- .**What:** Lebanon's Education Ministry leaked 83,000 student and teacher records online.
- .**Who:** 56,000 students (2022) and 27,000 teachers (2023) had data exposed.
- .**Data Exposed:** Exam scores, bank account numbers, salaries, and personal IDs.
- .**Outcome:** Zero enforcement under Law No. 81; no DPA exists to investigate.
## What Was Exposed
- .Full names of approximately 56,000 students who sat for the 2022 Brevet examinations
- .Student email addresses and phone numbers associated with examination registrations
- .Detailed exam results including scores by subject, overall grades, and pass/fail status
- .Student registration numbers and school identifiers enabling cross-referencing with other databases
- .Full names of approximately 27,000 teachers employed by the Ministry of Education
- .Teacher bank account numbers including IBAN details used for salary payments
- .Monthly salary amounts for each teacher, revealing individual compensation levels
- .Marital status, date of birth, and personal identification numbers for teaching staff
- .School assignments and employment grades for the teaching workforce
These incidents stand apart from the other Lebanon cyber incidents covered in this series because there was no external attacker, no sophisticated malware, and no state-sponsored espionage.
The data was exposed by the government itself through basic negligence in how it published information on its own website.
The 2022 student data leak occurred when the Ministry published Brevet exam results in a format that included personal contact information alongside academic scores.
While exam results have traditionally been published in Lebanon, the inclusion of email addresses and phone numbers went far beyond what was necessary or appropriate for results publication.
The 2023 teacher data leak was even more egregious. A spreadsheet containing the complete personnel records of 27,000 teachers was uploaded to the Ministry’s official website, apparently as an administrative error.
The file contained bank account numbers, salary figures, and personal status information that should have been classified as highly sensitive.
Once the file was discovered, it was downloaded and redistributed through WhatsApp groups, ensuring that the data spread far beyond the initial exposure on the ministry’s website.
Even after the file was eventually removed from the website, the WhatsApp redistribution made containment impossible.
The exposure of teacher bank account numbers is particularly dangerous.
Bank account details, combined with names and personal identification information, provide the essential ingredients for banking fraud, including unauthorized direct debit schemes, social engineering attacks against banks, and identity theft.
In Lebanon’s current economic crisis, where teachers’ salaries have been drastically devalued and many are struggling financially, the exposure of their financial data to potential fraudsters adds insult to an already devastating economic situation.
The publication of salary information carries social consequences that extend beyond financial fraud. In Lebanese society, as in many cultures, individual compensation is considered private information.
The public exposure of salary data for 27,000 teachers creates potential for workplace tension, social comparison, and personal embarrassment.
Teachers whose salaries are lower than their peers may face stigma, while those with higher salaries may face unwanted attention or pressure from family and community members.
For the 56,000 students whose Brevet results were leaked with contact information, the risks include targeted scam campaigns exploiting examination anxiety.
Students who failed exams are particularly vulnerable to scams offering grade corrections, fake university admissions, or fraudulent educational services. The combination of exam results with contact information creates a perfectly segmented target list for such schemes.
In a country where educational credentials carry significant social weight, the public association of individual names with specific exam scores also carries reputational implications for students and their families.
## Regulatory Analysis
Both incidents occurred well after the enactment of Law No. 81 of 2018. The 2022 student data leak and the 2023 teacher data leak should have been subject to the law’s provisions on lawful data processing, purpose limitation, data minimization, and security.
The Ministry of Education, as a government data controller processing the personal data of students and teachers, has clear obligations under the law. The reality is that the law was not applied in either case.
Article 97 of Law No. 81 establishes that personal data must be collected for specified, explicit, and legitimate purposes and must not be further processed in a manner incompatible with those purposes.
The collection of student contact information for examination administration purposes does not authorize its publication alongside exam results.
The publication of teacher bank account numbers on a public website is incompatible with any legitimate purpose for which that data was collected. Both incidents represent clear violations of the purpose limitation principle that is foundational to data protection law.
Article 99 of Law No. 81 addresses the security of personal data, requiring data controllers to implement appropriate technical and organizational measures to protect personal data against unauthorized disclosure.
The publication of sensitive personal data on a government website does not constitute “unauthorized” disclosure in the traditional sense-it was the ministry itself that published the data-but it clearly represents a failure of the organizational measures required to prevent inappropriate data exposure.
The absence of any review or approval process before publishing data files on the ministry’s website indicates a systemic failure of data governance.
The critical missing element, as with every Lebanon data protection case, is enforcement. Law No. 81 mandates the creation of a Data Protection Authority with the power to receive complaints, investigate violations, and impose sanctions. This authority does not exist.
When SMEX documented the 2022 student data leak and the 2023 teacher data leak, there was no regulatory body to report the incidents to, no authority to demand remediation, and no mechanism to impose consequences on the ministry for its negligence.
The government-as-violator dynamic creates an additional layer of regulatory impossibility. Even if a DPA existed, its independence would be tested by cases involving government ministries.
In many countries, data protection authorities have struggled to hold government agencies accountable with the same rigor applied to private sector entities.
In Lebanon, where institutional independence is compromised by sectarian power-sharing arrangements and political patronage, the prospect of a DPA sanctioning a ministry is already questionable. But without a DPA at all, the question is moot.
The SMEX documentation of these incidents serves a crucial function in the absence of regulatory enforcement.
By publicly documenting government data protection failures, civil society organizations create an accountability record that may eventually inform enforcement actions if and when a DPA is established.
However, documentation without enforcement does not provide remediation for the 83,000 individuals whose data was exposed.
## What Should Have Been Done
Both incidents were preventable through basic data governance practices that require no sophisticated technology or significant investment. For the student examination results, the ministry should have implemented a data minimization review before any publication.
Exam results can be published using registration numbers or other identifiers that do not include personal contact information.
Many countries publish examination results using unique identifiers that only the student and their school can use to look up individual results, avoiding any public exposure of personal data.
This is not a novel approach-it is standard practice in jurisdictions that take data protection seriously.
For the teacher personnel data, the ministry should have implemented access controls on its website content management system that prevent the upload of files containing sensitive personal data without multi-level approval.
A simple automated scan of files being uploaded to public-facing sections of the website could flag documents containing patterns consistent with bank account numbers, national identification numbers, or salary data. Such tools are readily available and inexpensive.
The ministry should have established a data classification policy that categorizes teacher personnel records, including bank account numbers and salary information, as confidential data that may not be published on public-facing platforms under any circumstances.
This classification should be enforced through both technical controls (file access restrictions, upload filters) and organizational controls (mandatory review and approval workflows for any data publication).
Once the leaks were discovered, the ministry should have taken immediate remediation steps.
For the teacher data, this should have included proactive notification to all 27,000 affected teachers, advising them to monitor their bank accounts for unauthorized activity, to contact their banks about the exposure, and to be alert for social engineering attempts using the leaked information.
For the student data, similar notification should have been provided to students and their parents, with specific warnings about examination-related scams.
At the institutional level, the Ministry of Education should have appointed a data protection officer responsible for reviewing all data publications and ensuring compliance with Law No. 81, regardless of whether a DPA exists to enforce it.
Organizations that proactively comply with data protection law, even in the absence of enforcement, protect their data subjects and build institutional data governance capacity that will be valuable when enforcement eventually materializes.
The WhatsApp redistribution of the teacher data highlights the irreversibility of
data exposure. Once sensitive data is published on a public website, it is effectively
impossible to recall. The ministry’s belated removal of the file from its
website was meaningless given that the data had already been downloaded and
redistributed through messaging platforms. This irreversibility underscores
the importance of prevention over response-once the data is out, no
remediation can undo the exposure.
Lebanon’s education data leaks also deserve comparison with how similar
incidents are handled in jurisdictions with functioning data protection enforcement.
In the European Union, a government ministry that published 27,000 teachers’
bank account numbers on its website would face an immediate investigation by the
national DPA, mandatory notification to all affected individuals, potential fines
under GDPR Article 83 of up to 20 million euros or 4% of annual budget, and public
reporting of the violation. In Lebanon, the same incident resulted in a SMEX report
and nothing else. The contrast illustrates not just the absence of a DPA but the
complete absence of any accountability mechanism for government data protection failures.
The economic context of Lebanon’s ongoing financial crisis makes these leaks
particularly harmful. Teachers in Lebanon have seen their salaries lose more than
90% of their purchasing power since the economic collapse began in 2019. The
exposure of their already-diminished salary information, combined with their bank
account details, makes them targets for financial fraud at a time when they can
least afford it. Students and their families, many of whom are struggling to
afford education in the midst of the crisis, face the added burden of potential
identity theft and scam targeting. The government that failed to protect their
economic welfare also failed to protect their personal data.
When the Lebanese government itself becomes the threat actor-exposing 83,000 students’ and teachers’ personal data through its own negligence-the absence of a Data Protection Authority transforms from a regulatory gap into a structural betrayal of citizens’ rights.
Law No. 81 exists. The violations are clear. The victims are identifiable. But without the DPA that the law mandates, there is no one to file a complaint with, no one to investigate, and no one to hold the government accountable.
Lebanon wrote the rules and then refused to hire a referee.