GCC banks' response to hacking woefully inadequate

QNB and InvestBank let down their customers by not only failing to protect their private information but by then playing down the significance of the attacks
GCC banks' response to hacking woefully inadequate
By Courtney Trenwith
Fri 13 May 2016 12:10 AM

The recent leaking of customer data stolen from Qatar National Bank and Sharjah’s InvestBank is troubling; financial institutions are expected to be among the most secure organisations globally.

But what is most troubling is the banks’ public response to the hackings that prove their security is inadequate.

InvestBank has not made any public comment, whether to apologise to customers, reassure them that security would be enhanced or otherwise. While the data may have been recycled from December, its silence on this occasion will come as a disappointment to customers and shareholders who deserve an explanation.

QNB — the largest bank in the Middle East — also initially refused to comment, implying that the reports were false: “It is QNB Group policy not to comment on reports circulated via social media”.

Later, it conceded its security had been breached but attempted to dismiss the significance of the hacking. One affected customer claimed that when he called the bank, a QNB agent initially denied the hacking had occurred. When he proved them wrong, the bank guaranteed that even though his data and personal details had been made public, identity theft was “impossible”.

“Imagine that, the agent (who refused to give me his full name, ironic considering my full name and more was leaked by them worldwide) actually guaranteed this,” the customer told Doha News.

In a public statement on May 1, QNB attempted to downplay the seriousness of the breach. To suggest that the attack “only targeted a portion of Qatar-based customers” is a slap in the face to those who were hit. To have even one customer’s data stolen proves the bank’s security systems are deficient. In this case, up to 400,000 customers had at least some of their personal information stolen and published online. For QNB to dismiss the breach of these customers’ privacy is worrying, to say the least.

The bank went on to deny that those customers were not the intended target of the hacking.

“While some of the data recently released in the public domain may be accurate, much of it was constructed and contains a mixture of information from the attack as well as other non-QNB sources, such as personal data from social media channels,” the statement said.

“We believe the nature of this incident is fundamentally an attempted attack on QNB Group’s reputation and not specifically targeted at our customers.”

Whether the bank’s reputation was the target or not, the fact is up to 400,000 customers were caught in the middle because QNB failed to protect their information.

At a strategy meeting held last Tuesday, the bank apparently discussed everything but the security breach and how it would enhance its systems to prevent another such attack. According to a press release published in full by The Peninsula, QNB instead discussed how it would become a “Middle East and Africa (MEA) icon by 2017”.

A bank that fails to adequately respond to customers’ concerns will find it difficult to become an icon. QNB is not the only bank — nor the only institution with private customer or state data — to have been hacked. But few organisations whose security has been breached have responded in such a disappointing manner.

It is that response, not the hacking, that could prevent QNB from becoming an “icon” any time soon.

For all the latest banking and finance news from the UAE and Gulf countries, follow us on Twitter and Linkedin, like us on Facebook and subscribe to our YouTube page, which is updated daily.

Subscribe to our Newsletter

Subscribe to Arabian Business' newsletter to receive the latest breaking news and business stories in Dubai,the UAE and the GCC straight to your inbox.