In May 2024, a threat actor operating under the alias “sentap” (also known
as “Zestix”) listed a SQL database containing over 7 million patient records
from a Saudi pharmaceutical health platform for sale on the Exploit cybercrime forum. The
dataset, sourced from 2023 records, included full patient names, phone numbers, home
addresses, payment methods, transaction details, and highly sensitive biometric and
medical information such as blood type, height, weight, gender, pregnancy status, and
breastfeeding status.
The listing was placed behind a paywall requiring Exploit forum points, a mechanism
designed to restrict access to vetted forum members and increase the perceived value
of the offering. Sentap is a known Initial Access Broker (IAB) with documented links
to the FunkSec Ransomware-as-a-Service (RaaS) operation, specializing in the sale of
compromised credentials and unauthorized access to corporate environments.
## Key Facts
- .**What:** 7 million patient records sold on Exploit forum by threat actor sentap.
- .**Who:** Patients of a Saudi pharmaceutical health platform (up to 1 in 5 residents).
- .**Data Exposed:** Names, addresses, blood types, pregnancy status, and payment details.
- .**Outcome:** Occurred during PDPL grace period; sentap linked to FunkSec RaaS.
## What Was Exposed
- .Full patient names linked to pharmaceutical transaction histories and medical
profiles spanning the 2023 calendar year
- .Phone numbers and residential addresses associated with patient registration
and delivery records
- .Payment methods and detailed transaction records, including purchase histories
for pharmaceutical products and health services
- .Biometric and physiological data including height, weight, gender, and blood
type
- .Reproductive health indicators including pregnancy status and breastfeeding
status-classified as sensitive personal data under the PDPL
The scale of 7 million records is striking in the context of Saudi Arabia’s
population of approximately 36 million. If the records represent unique individuals,
this breach could affect roughly one in five residents of the Kingdom. Even accounting
for duplicate entries and repeat customers, the exposure represents a significant
proportion of the population that has interacted with the pharmaceutical health
platform.
The inclusion of reproductive health data-pregnancy and breastfeeding status-
elevates this breach beyond a conventional data exposure. In the cultural context of
Saudi Arabia, the unauthorized disclosure of a woman’s pregnancy or breastfeeding
status can have profound personal and social consequences. This category of data is
among the most sensitive recognized under international data protection frameworks,
and its appearance in a dark web listing intended for criminal exploitation represents
a severe failure of the duty of care owed to patients.
The threat actor sentap has a well-documented operational profile across threat
intelligence platforms. As an IAB active on the Exploit forum, sentap’s known
methods include leveraging infostealer-derived credentials, exploiting misconfigured
SFTP/FTP services, and selling initial access to larger ransomware groups. The
connection to FunkSec RaaS operations is particularly concerning, as it suggests
that sentap operates within a broader criminal ecosystem where initial access is
monetized through multiple channels-direct database sales, ransomware
deployment, or both. The SQL format of the dataset and the 2023 date range suggest
that sentap either gained persistent access to the platform’s backend database
through stolen credentials or exploited a misconfigured asset that exposed database
interfaces to the internet.
The Exploit forum’s paywall model, which requires forum points earned through
community participation or purchased from established members, serves as a vetting
mechanism that ensures only serious buyers gain access to the listing. This is not a
casual data dump on a public paste site; it is a structured commercial offering within
one of the most established Russian-language cybercrime ecosystems. The paywall model
also makes it more difficult for threat intelligence firms and law enforcement to
monitor and acquire the data for analysis, reducing the likelihood of early detection
and victim notification.
## Regulatory Analysis
This breach occurred during the PDPL grace period, which ran from September 2023 until
full enforcement on September 14, 2024. During this transitional window, organizations
were expected to bring their data processing practices into compliance with the law,
but SDAIA had not yet begun formal enforcement actions. The timing creates a regulatory
gray zone: the breach represents conduct that would clearly violate the PDPL under full
enforcement, but the formal penalty mechanisms were not yet operational at the time of
the data’s appearance on the Exploit forum.
Under the now-active enforcement regime, the platform operator would face significant
regulatory exposure. Article 16 of the PDPL classifies health data as sensitive
personal data, and the reproductive health indicators in this dataset-pregnancy
and breastfeeding status-fall squarely within the most protected category.
Processing sensitive data requires either explicit consent from the data subject or a
specific legal basis enumerated in the law, and the security obligations attached to
sensitive data are correspondingly heightened.
Article 19 mandates breach notification to SDAIA within 72 hours when personal data
is compromised in a manner that may harm individuals. The sale of 7 million patient
records on a cybercrime forum unambiguously meets this threshold. Under current rules,
the platform operator would be required to notify SDAIA, detail the categories and
volume of data affected, and describe the measures taken to contain the breach. The
maximum administrative penalty of SAR 5 million could be imposed, though given the
scale and sensitivity of the exposed data, supplementary enforcement actions including
mandatory audits and operational restrictions would also be likely.
## What Should Have Been Done
The platform should have implemented a credential security program that specifically
addressed the threat of infostealer malware, which is sentap’s known primary
attack vector. This includes mandatory multi-factor authentication (MFA) for all
administrative and database access, certificate-based authentication for machine-to-machine
connections, and continuous monitoring of dark web credential markets for any leaked
credentials associated with the platform’s domains and email addresses. Credential
hygiene should have been enforced through automated password rotation, prohibition of
password reuse across systems, and integration with threat intelligence feeds that flag
compromised credentials in real time.
SFTP and FTP services, which are among sentap’s documented exploitation targets,
should have been secured with IP allowlisting, key-based authentication rather than
password authentication, and continuous monitoring for anomalous file transfers. Any
file transfer protocol that exposes database contents or patient data should have been
isolated from the public internet and accessible only through a VPN or zero-trust
network architecture. Legacy FTP services should have been decommissioned entirely
in favor of SFTP with enforced encryption.
Database security should have included encryption at rest and in transit, with column-level
encryption for the most sensitive fields including reproductive health indicators. Database
activity monitoring (DAM) should have been deployed to detect bulk extraction queries, and
data loss prevention (DLP) controls should have flagged the exfiltration of a 7-million-row
dataset. Network segmentation should have isolated the patient database from internet-facing
application servers, ensuring that even if an attacker compromised the web layer, lateral
movement to the database tier would require bypassing additional authentication and
monitoring controls.
When an Initial Access Broker with documented ties to ransomware operations sells
7 million patient records-including reproductive health data-on one of the
internet’s most established cybercrime forums, it exposes the full chain of
failure: from stolen credentials to unmonitored databases to the absence of any
detection mechanism. The PDPL grace period may have shielded the operator from formal
penalties, but it did not shield 7 million patients from having their most intimate
health data monetized by criminals.