Saudi Government Portal Pryx Exploits IDOR to Leak 40GB of Citizen Data

Aug 2024 · Government sector

By Karim El Labban · ZERO|TOLERANCE

Saudi Government Portal: Pryx Exploits IDOR to Leak 40GB of Citizen Data

On August 27, 2024, threat actor Pryx published approximately 40 gigabytes of data exfiltrated from saudi.gov.sa, the Saudi government's central services portal. The data included scanned national ID cards, driver's licenses, work CVs and resumes, and private email attachments.

Pryx exploited an Insecure Direct Object Reference (IDOR) vulnerability caused by poor cookie management. Pryx was later unmasked as a co-founder of the Hellcat ransomware group. The breach occurred 18 days before PDPL enforcement.

01

KEY FACTS

  • .What: Threat actor Pryx exploited IDOR to leak 40GB from saudi.gov.sa.
  • .Who: Saudi citizens who uploaded documents to the government portal.
  • .Data Exposed: National ID scans, driver's licenses, CVs, and email attachments.
  • .Outcome: Occurred 18 days before PDPL enforcement; Pryx unmasked as Hellcat co-founder.
02

SOURCES

Resecurity, BleepingComputer, Dark Reading, Saudi PDPL

RELATED ANALYSIS

Cisco Systems: ShinyHunters Claim 3M Salesforce Records, 300+ GitHub Repos, and AWS Data in Triple-Vector Extortion
Mar 31, 2026 · 3M+ records claimed · 300+ repos · April 3 deadline
Oracle's Dual Breach: 6M Cloud SSO Records Stolen, 80 Hospitals Compromised - and a Denial That Collapsed Under Evidence
Mar 21, 2025 · 6M records · 140K tenants · 80 hospitals
TriZetto/Cognizant: 3.4M Patient Records Stolen in 11-Month Healthcare Supply Chain Breach
Feb 6, 2026 · 3.4M patients · 11-month dwell · ~24 lawsuits
Infinite Campus: ShinyHunters Breach K-12 Platform Serving 11M Students via 10-Minute Vishing Attack
Mar 18, 2026 · 11M students · 3,200+ districts · 46 states
Crunchyroll: 6.8M Users Exposed After Infostealer Malware Compromises TELUS Support Agent's Okta Credentials
Mar 12, 2026 · 6.8M users · 100GB stolen · $5M ransom
MORE DATA BREACHES →