Over the past seven months, the Israeli occupation has precisely targeted people, houses, and vehicles in South Lebanon and Beirut’s southern suburb, profoundly impacting everyday life in Lebanon.
These flagrant breaches are a result of years of data mismanagement, which has allowed Israeli military forces to penetrate compromised Lebanese telecommunications and spy on residents, risking people’s lives and forcing their displacement.
Lina Ouaidat, the National Cyber Security Coordinator and Advanced Counter Terrorism Coordinator, highlights internal challenges facing the implementation of a robust cybersecurity strategy in Lebanon. Such a strategy is needed more than ever today, and it is the Lebanese government’s responsibility to ensure its quick and effective institution.
For now, our data remains endangered, as it has been made easily accessible for the Israelis. This article traces the history of two decades of data leaks and espionage in Lebanon, while highlighting key incidents in which the Lebanese state has compromised people’s data.
Data Leaks Based on Car Plate Numbers
An application launched in 2015 called Cars 961 enabled users to obtain information about the car and its owner by uploading the car plate number on the app. The application provided users with personal data such as the full name of the car owner, their full address, date of birth, and phone number. The application was eventually shut down.
Unfortunately, the latter was not the first leak of this kind. Data of car plate numbers are leaked almost every year in Lebanon due to the fragile and basic data storage and protection policy followed by the Lebanese government and its administrations. Data related to car plates are stored on unencrypted and unprotected CDs that get leaked almost on a yearly basis facilitating the falsification of car registrations. The data in the CD includes the car owner’s full name, along with their date and place of birth, registration number, place of residence, cell number, and home phone number.
Although the state began issuing biometric drivers’ licences in 2017 after signing a contract with Inkript, a Lebanese software development company, making the shift from the traditional CD ROMs, data leaks are still a threat as governmental websites are unsecured.
Threats of Leaking Syrian Refugees’ Data
The Lebanese government requested the data of over two million Syrian refugees in Lebanon from the United Nations Refugee Agency (UNHCR).
In 2023, the UNHCR agreed, and a military official confirmed that the government received the refugees’ data. Human rights organizations and activists fear the data will be submitted to the Syrian regime as a new way to crack down on the opposition and to request their return to Syria. Considering Lebanon’s weak data security infrastructure, this critical data might also be hacked or leaked by governmental staff to third parties.
Lebanese Embassies Expose Data of Voters Abroad
After the parliamentary elections on May 6, 2018, Lebanese residents in several countries received emails with the personal data of voters to confirm their voter registration information.
This included a voter’s full name, mother’s name, father’s name, sex, date of birth, religion, marital status, and address.
Lebanese people residing in The Hague received an email with over 200 voters CC’d. All recipients could view and share the data of the 200 voters in the Netherlands. In the UAE, the Lebanese embassy sent the same confirmation email to about 5000 Lebanese expats living there. In other countries, voters received messages from candidates as a campaign strategy to encourage them to vote.
A Hacking Scandal in the History of Lebanon
In July 2018, Krypton Security, a Lebanese hacking company founded in 2013, breached the security of major public institutions in Lebanon. These included the civil flight data at Beirut International Airport, websites of the Ministry of Economy and Interior, OGERO, and the Civil Status Directorate at the Ministry of Interior. It also obtained information from websites related to the Lebanese security body.
The hack was discovered after Inconet Data Management (IDM), an internet distribution company, filed a complaint with the Public Prosecution Office after unsuccessful attempts to halt hacking activities in 2017. Investigations revealed that Khalil Sehnaoui, a Lebanese-Belgian consultant who heads Krypton Security, was behind the attacks.
Schools’ Continuous Data Leaks
The data of over 27 thousand teachers in Lebanon’s public schools was accidentally published on the Ministry of Education’s official website this year. Despite the leak being a result of a technical error, the ministry did not justify nor correct that error. The data was published in an excel sheet listing the names of the teachers, their emails, working hours, marital status and bank account numbers.
This is not the first time the Ministry of Education leaks school-related data. In 2022, about 56 thousand Grade 9 students had their data published online, including their grades and their personal information. The ministry initiated an investigation, then insisted on moving towards digitizing the data of its employees and students, ignoring Lebanon’s weak cybersecurity policies.
Ministry of Communications Hands Over Citizens’ Data to Lebanon’s Special Tribunal
While former MP Marwan Hemadeh was Minister of Telecommunications from 2005 to 2008, he cooperated with the Special Tribunal for Lebanon following former PM assassination Rafic Harriri on February 14, 2005 by handing over the data of the people residing in Lebanon. For the sake of the continuation of the investigations, Hemadeh fulfilled the handover to the tribunal to better track the calls and ease investigation into the case.
The verdict was issued 15 years later and deemed one Hezbollah-tied Salim Ayyach guilty in absentia and acquitted three others. The Lebanese investigator, Wissam Eid, who provided the plans and phone numbers of the attack was assassinated in Beirut in 2008.
People’s Data is Unsafe in the Hands of the State
Despite Lebanon’s weak cybersecurity infrastructure, including the country’s official websites, the government has been investing time and money to accumulate data of citizens by digitization of the public sector.
This shift, although crucial in improving governance, has had its backlash on citizens’ privacy. For example, telecommunications companies in Lebanon, Touch and Alfa, offer a service of selling phone numbers and emails of users to companies wishing to attract more clients by reaching out to people via messages or emails. The data supplied segments the target audience according to their gender, age, and profession, according to the companies’ websites.
Another way of accumulating data includes the biometric passports, licences, credit cards, and lately, civil extracts that have been issued by the Ministry of Interior.
As if the embassies, telecommunications, car plates, AUB, OGERO, ministries and special tribunal data leaks were insufficient, the Lebanese government is striving to gather more data from its citizens to be handed to a poorly protected and easily penetrated telecom infrastructure.
Photo: JALAA MAREY / AFP
