Cybersecurity & Data Protection in MENA

A 6-vulnerability iOS exploit chain deploying three malware variants targeted users across Saudi Arabia, Turkey, Malaysia, and Ukraine.

INC Ransom exfiltrated 400GB from Saudi Arabia's largest private energy company - engineering drawings, financial records.

INC Ransom published 4TB from Saudi Arabia's premier architecture firm - 53 years of drawings for PIF Tower, GCC HQ, National Guard facilities.

A database of 690,000 Saudi bank account holders with full names, IBANs, and account balances was sold for $420 on a Chinese-language cybercrime forum.

Pro-Iranian hacktivist group Cyber Fattah leaked passport scans, IBANs, and medical certificates of 6,000+ Saudi Games 2024 participants via unsecured.

11GB of classified data from Saudi Arabia's General Intelligence Presidency surfaced on dark web platforms, exposing personnel records and operational.

DragonForce ransomware exfiltrated 6.96TB from Saudi contractor Al Bawani including airbase plans and defense blueprints. $20M ransom refused.

NEOM's recruitment portal was compromised and 280,000 applicant records sold on BreachForums. Prior credential leaks dating to 2023 had gone unremediated.

Hellcat ransomware co-founder Pryx exploited an IDOR vulnerability in saudi.gov.sa to exfiltrate 40GB of citizen data including national IDs and driver's.

Threat actor 'sentap' listed 7M+ Saudi patient records on the Exploit forum, including blood types, pregnancy status, payment methods, and home addresses.

A threat actor published 864 employee records from Riyadh Airports Company, operator of King Khalid International Airport, on a cybercrime forum for $290.

Aggregate analysis of SDAIA's first 48 enforcement decisions under the Saudi PDPL, examining regulatory patterns, priorities, and compliance expectations.

600MB containing 1.4M employee records from Saudi Arabia's Ministry of Foreign Affairs surfaced on dark web forums, exposing diplomatic staff at embassies.

Ransomware attackers exfiltrated 201GB from GlobeMed Saudi, the kingdom's largest healthcare claims administrator, in a double-extortion attack on patient.

Threat actor 'ZeroX' exfiltrated 1TB via a compromised third-party contractor, exposing 14,000 employees' data and demanding a $50M ransom in cryptocurrency.

A SQL database of Saudi MOH patient records appeared for sale on dark web forums, containing Arabic names, national IDs, medical diagnoses.

Internal activation reports from Virgin Mobile KSA leaked on breach forums, exposing employee IDs, customer names, phone numbers, national IDs.

585GB of data from 5M Saudi users including real names, phone numbers, and precise GPS locations was left on an unprotected MongoDB database with no.

Passport scans of 700+ VIP attendees including former UK PM David Cameron, Binance CEO, hedge fund billionaires Feb 1, 2026.

Threat actors exfiltrated 371,000 customer records from the UAE's second-largest telecom operator and set a ransom deadline. Emirates IDs and billing data.

A threat actor exfiltrated 239GB containing 417,000 files from the UAE's mandatory engineering licensing body, including Emirates IDs, passports.

Threat actor Kazu exfiltrated 1.94TB containing 13M files from Dubai's Ports, Customs and Free Zone Corporation, selling passport scans and gate logs for $50K.

700,000 credit card holder records from the Middle East's largest bank sold for just $430 on a Chinese-language forum. Third Emirates NBD breach in 18 months.

Gunra ransomware claimed 450M patient records from American Hospital Dubai including Emirates IDs, credit cards, and fertility data.

A threat actor exploited CVE-2021-35587 in Oracle Cloud's SSO infrastructure, compromising 6M credentials globally including 634 UAE entities.

Stormous ransomware stole 22GB from Wizz Air Abu Dhabi including air operator certificates, crew records, flight operations data, and passenger manifests.

Threat actor IntelBroker published 196,000 Lulu Hypermarket customer records on BreachForums, exposing names, emails, phone numbers, and loyalty card data.

Daixin ransomware exfiltrated approximately 60-80 GB from Dubai Municipality including Emirates IDs, passport scans, HR records, and land ownership data.

Qilin ransomware stole 2.5TB from UAE-operating Habib Bank AG Zurich, exposing passport numbers, account balances, KYC documents, and transaction records.

Coordinated DDoS attacks simultaneously hit ADCB, FAB, Mashreq, and RAKBANK, disrupting critical banking services and raising systemic risk concerns.

Multiple threat actors breached TDRA and uae.gov portals throughout 2024, listing citizen data, employee records, admin credentials.

Trip histories, location data, and personal details of 14.5M Careem users and drivers across 14 MENA countries were stolen, helping catalyze the UAE data.

Three threat actors claimed 200GB from Bahrain's NSA email infrastructure in 8 months. ESIX 7.13. US Fifth Fleet and UK intelligence-sharing implications.

A politically motivated threat actor published 15,500 Bahraini government service portal credentials on a dark web forum. No acknowledgment from Bahraini.

Hacktivist group Al-Toufan launched multi-wave attacks on Bahrain's airport, news agency, and financial institutions timed to the 2011 Pearl Roundabout.

Citizen Lab documented Bahrain's use of NSO Group's Pegasus spyware against at least nine activists via zero-click iMessage exploits requiring no user.

A Nigerian cybercrime gang breached BBK's server infrastructure over two days and fraudulently transferred ~$739,000 from three customer accounts to 87.

Amnesty rated BeAware among the world's most dangerous contact-tracing apps, conducting live GPS tracking linked to national IDs and broadcasting.

Iran-linked APT34 deployed Dustman wiper malware against Bahrain's national oil company BAPCO, gaining initial access months earlier via a compromised VPN.

Iranian state actors gained command-and-control of Bahrain EWA's industrial control systems managing electricity and water for the kingdom alongside NSA.

Qatar Financial Centre issued its first-ever data protection fine, penalizing an unnamed financial services firm $150,000 for security and notification.

Qatar's largest expat community platform had its Elasticsearch database posted on BreachForums, exposing user IDs, names, emails, and phone numbers.

A supply chain attack on aviation IT provider SITA exposed frequent flyer data for Qatar Airways Privilege Club members. SITA serves ~90% of the world's.

Zero-click iMessage exploits deployed by Saudi- and UAE-linked operators compromised 36 Al Jazeera journalists' iPhones. Citizen Lab identified the KISMET.

Amnesty discovered a critical API flaw in Qatar's mandatory Ehteraz contact-tracing app that exposed health data of 1M+ users via predictable QID enumeration.

Attackers planted fake quotes attributed to the Emir on QNA's website, triggering the 3.5-year Saudi-led blockade of Qatar and a major Gulf diplomatic crisis.

The largest bank in the Middle East suffered a massive 1.4GB data exfiltration exposing hundreds of thousands of account numbers, credit card details.

Iran-linked Shamoon malware wiped corporate systems at Qatar's RasGas LNG producer, two weeks after devastating Saudi Aramco's 35,000 workstations.

Cl0p ransomware listed Oman's sole electricity and water utility on its leak site, threatening 4.9M residents' data 76 days before PDPL enforcement.

Oman's state-owned energy giant OQ, operating across 17 countries, was among the first victims of the newly emerged Termite ransomware using a modified.

RansomHub ransomware exfiltrated 490GB from Omani engineering conglomerate Towell, including employee PII, payroll records, and financial documents.

Omani oilfield services provider SOS was hit by LockBit 3.0 in April 2024 and Meow ransomware four months later, a rare double-hit exposing persistent.

Oman-based oil and gas operator CC Energy Development was compromised in Cl0p's mass exploitation of the MOVEit Transfer zero-day that hit 2,500+.

Ransomware encrypted the main server of one of Oman's largest insurers on New Year's Day, demanding 50 BTC (~$360K). Backup systems enabled recovery.

Iranian APT34 penetrated Oman's Administrative Court as part of a long-running espionage campaign exposed when Lab Dookhtegan leaked the group's tools in 2019.

Attackers breached two payment processors to remove withdrawal limits on 12 prepaid cards, enabling a $40M global ATM cash-out heist across 24 countries.

Cl0p ransomware listed Zain Group, Kuwait's largest telecom serving 50M+ subscribers across seven countries, after exploiting the MOVEit Transfer zero-day.

Two foreign cybercrime gangs arrested using rogue BTS/IMSI catchers in Kuwait to intercept SMS and inject fraudulent bank messages.

Ransomware disabled the Sahel EHR system across 16 hospitals and 100+ clinics serving 4.8M residents, forcing Kuwait's healthcare ministry offline.

Rhysida ransomware hit Kuwait's Ministry of Finance, the fiscal nerve center of one of the Gulf's wealthiest states, disrupting government financial systems.

LockBit 3.0 listed Kuwait's Ministry of Commerce and Industry on its leak site, claiming data covering business registrations, trade licenses.

LockBit 2.0 claimed a breach of Kuwait's national carrier, threatening to publish 600,000 passenger records including identity documents and travel data.

Attackers compromised Kuwait News Agency's official Twitter account and broadcast fabricated reports of a US military withdrawal, causing a diplomatic crisis.

Palo Alto Unit 42 uncovered a multi-year espionage campaign using custom anime-named backdoors to target Kuwait's shipping sector and government entities.

Iran-linked APT39 (Chafer) conducted a multi-year espionage campaign against Kuwaiti government agencies, targeting diplomatic, military.

Everest ransomware exfiltrated 11.7GB from Jordan Kuwait Bank, exposing national IDs, salaries, and employment contracts of 1,003 employees on its dark.

FBI arrested Jordanian national Feras Albashiti after an XSS forum undercover operation exposed him as a prolific initial access broker who sold RCE.

Jordan's NCSC reported 6,758 incidents in 2024, a 175% surge over 2023, issuing 6,922 alerts and achieving a 97% detection rate against known threat indicators.

Rhysida ransomware breached Abdali Hospital in Amman, demanding 10 BTC (~$430K) for stolen patient data. Jordan has no comprehensive data protection law.

Analysis of Jordan's Cybercrime Law No. 17/2023, which replaced the 2015 framework with expanded prosecutorial powers and broader offense definitions but.

Business and Human Rights Centre investigation found five Jordanian ISPs, including Orange, collecting intrusive user data beyond service needs without.

Citizen Lab and Access Now documented systematic Pegasus deployment against 35+ journalists, lawyers, and activists in Jordan over four years.

SMT Group found Jordan's telecom sector leaked 92% of all credentials between 2017-2019, with Orange Jordan responsible for more than half of telecom.

Amnesty International revealed Predator spyware deployed against Egyptian activists via zero-click exploits. US sanctions imposed on Intellexa consortium.

AI-assisted ransomware group FunkSec attacked Egypt's flag carrier EgyptAir, claiming passenger manifests, passport numbers, and employee records.

Money Message ransomware group targeted Egypt's tax authority in a double-extortion attack, threatening to publish taxpayer financial records.

A health insurance database covering 85 million Egyptian citizens appeared for sale on BreachForums, containing national IDs, addresses.

LockBit 3.0 attacked Fawry, Egypt's largest digital payment platform serving millions through 250,000+ POS terminals, threatening to publish stolen.

A database of 2 million Egyptian patient records from the Ministry of Health appeared for sale on dark web markets, containing Arabic names, national IDs.

Hacktivist group 'Egypt Leaks' published account records, transaction histories, and internal communications from multiple Egyptian banks online.

An unprotected AWS S3 bucket exposed data of 72,000+ Egyptian children including names, birth dates, national IDs, and test scores.

Citizen Lab discovered Egyptian ISPs using Sandvine PacketLogic deep packet inspection to hijack subscriber traffic for ad injection and cryptocurrency.

Patient records from four Lebanese hospitals spanning 2010-2021 posted to dark web with cleartext passwords, including medical records, passports.

Lebanon's Education Ministry accidentally published 56,000 student exam results and 27,000 teacher bank account numbers on its website.

Hezbollah-linked Lebanese Cedar APT exploited unpatched Atlassian and Oracle servers to breach 250+ telecom servers globally, stealing call records.

Iranian APT hijacked DNS records for Lebanon's Ministry of Finance and Middle East Airlines, intercepting email credentials and VPN logins.

Cybersecurity CEO Khalil Sehnaoui breached Ogero Telecom, government ministries, banks, and airport systems in what was called Lebanon's largest hack.

EFF and Lookout exposed a Lebanese intelligence espionage campaign run from a GDGS building in Beirut, targeting thousands of victims across 21+ countries.

A Stuxnet-related Gauss trojan targeted six major Lebanese banks including Bank of Beirut and BlomBank, stealing online banking credentials from 2,500.