As the war escalates, the digital battlefield is proving just as volatile as the physical one putting civilian lives directly in the line of fire.
Just days ago, the Lebanese Security Forces (LSF) arrested an Israeli Mossad operative linked to the targeting of the Comfort Hotel in the Hazmieh area, and revealed that the operative had handed over critical datasets to Israel.
Stories like this have exposed the fragility of the Lebanese state across multiple sectors—but most importantly on the telecoms, cybersecurity, and data privacy sectors. SMEX has long warned of these vulnerabilities, and have called for the Lebanese government to take corrective action before it was too late.
This guide outlines the underlying weaknesses that did not originate with the current war, but are rather the byproduct of years of neglect, lack of planning, and underinvestment in digital infrastructure. These flaws, uncovered by both the previous and current wars, continue to cripple Lebanon’s telecommunications sector.
Data Without Defense: A Legislative Vacuum
Interrogations revealed that the critical datasets handed to Israel by the Mossad operative included records from Électricité du Liban (EDL), the Ministry of Telecommunications, Ogero (the state’s internet provider), and the Ministry of Public Health. Data also included delivery service companies and granular data from the Traffic Management Center involving vehicle license plate records and their buyers.
SMEX’s Media Program Manager, Abed Kataya notes that Israel is actively seeking “fresh and updated data” beyond what commonly appears in leaked databases, such as financial statements and vehicle registration records.
He adds that the use of individual hackers or hacker networks in which members remain anonymous to one another guarantees the accurate verification of targets and the cross-referencing of digital data with real-world intelligence.
Israeli drones, such as the “Hermes 450” and “Hermes 900,” which have hovered in Lebanese airspace almost incessantly for over two years, collect Signal Intelligence (SIGINT) and intercept cellular signals, Wi-Fi, GPS data, and telecom metadata.
This sophisticated aerial presence allows Israel to map behavioral patterns, track devices, and harvest sensitive information from Lebanese residents, without having to set foot on Lebanese soil.
While data protection should become a regular safeguard upheld by the state when passing laws, brokering deals, launching platforms, or processing both digital and paper-based transactions, it is still far from being implemented in Lebanon.
SMEX’s analyses reveal that most government platforms lack even the most basic security standards, privacy policies, or safeguards to protect their residents’ data from third-party breaches.
In late September 2018, the Lebanese Parliament passed the Electronic Transactions and Personal Data Law. Although work on the draft law began in 2004 with the aim of regulating e-commerce, a SMEX analysis proved that its frameworks for protecting Lebanese citizens’ personal data are obsolete and ineffective.
Over the past several years, Lebanese authorities have launched various digital platforms, some in response to emergencies and others to streamline government services.
On September 1, 2020, the Ministry of Public Health launched the “Together Against Corona” (Ma’an) app for contact tracing during the COVID-19 pandemic. Upon review, SMEX uncovered fundamental security flaws that left the app vulnerable to third-party exploitation.
The same app also lacked encryption and contained several “hardcoded” files, meaning sensitive information, such as administrative usernames and passwords, could be exposed to malicious actors.
Furthermore, the app’s SQL database was found to execute raw queries, leaving it vulnerable to SQL injection attacks. These vulnerabilities could allow malicious third parties to access the sensitive data of both users and system administrators.
In January 2022, the Lebanese General Directorate of General Security launched a new platform for passport renewal appointments to help solve overcrowding at application centers. Following a preliminary assessment, SMEX found that the platform also lacked essential data security measures, privacy protections, and transparency. In addition, the platform was developed by the “Hani Saliba Foundation,” which was affiliated with a candidate running for Parliamentary elections at the time.
In February 2025, Lebanon’s Directorate General of Civil Status launched a campaign encouraging voters to verify their personal information on electronic voter lists by March 1, 2025.
The fact that these lists are published to the public allows anyone to access and exploit this information, a vulnerability that was already weaponized during the 2024 Israeli war on Lebanon. Users can also view all voters within a specific electoral district simply by selecting the governorate, village, neighborhood, gender, sect, and civil registry number.
Despite receiving financial and technical support from the European Union and the United Nations Development Programme (UNDP), the platform still lacks terms of service and a privacy policy. This prevents users from understanding what data is being collected, how and where it is stored, what security protocols are in place to protect it, or what steps are taken in the event of a breach.
Vehicle license plate data in Lebanon is leaked almost annually due to the government’s fragile and primitive data storage and protection policies. License plate records are stored on unencrypted, unprotected CDs, facilitating forgery in vehicle registration processes.
The data burned onto these discs includes the owner’s full name, date and place of birth, registry number, place of residence, and both mobile and landline telephone numbers.
Finally, Lebanon suffers from a significant lag in adopting the IPv6 protocol, the next generation of IP addresses designed to expand network capacity while improving efficiency and security. With an adoption rate of less than 1%, compared to 40% across Asia, Lebanon is failing to keep pace with the technical advancements necessary to support emerging technologies, such as cloud computing and smart infrastructure.
To date, Lebanon has not enacted a dedicated privacy law. Instead, the legal framework is limited to a general law governing electronic transactions and personal data (81/2018) and an outdated telecom interception law (140/1999).
These examples are merely symptomatic of a systemic model. Critical questions regarding where, how, and how long data is kept, as well as the identity of the parties authorized to access it, all remain unanswered.
The Reality of Cybersecurity
The 2024 Internet Society (ISOC) Country Report revealed that Lebanon’s cybersecurity score stands at a mere 30.44 out of 100, indicating a profound lack of protection. The adoption rate of IPv6, the latest and most secure version of the Internet Protocol, does not exceed 1%, compared to a 40% adoption rate across Asia.
As a country marked by frequent turmoil and crises, Lebanon should theoretically be more prepared in terms of digital security to prevent millions of users from falling prey to threats such as phishing, malware, and digital espionage.
Israel, infamous for its involvement in espionage and hacking in the region and the world, escalated to wage a war on Lebanon in September 2024. With its onset, many residents reported suspicious activity on their devices, suggesting a potential mass breach of the telecommunications network.
Israel also distributed leaflets containing QR codes across various Lebanese regions. Post-war, and with the return of displaced persons, random surveys began to circulate. These forms, of unknown origin and intent, misled affected individuals into believing they would receive aid, requesting sensitive details regarding home reconstruction and the extent of property damage.
Insufficient Official Responses
Repeated breaches, alongside both wars, have demonstrated Lebanon’s lack of strategic protective foundations for cybersecurity, whether to secure state websites or the safety of residents, including citizens, displaced persons, refugees, and migrant workers.
In 2019, the Presidency of the Council of Ministers drafted what it termed the “National Cybersecurity Strategy.” It was never implemented to establish clear standards or frameworks for official platforms and websites.
In August 2024, authorities announced they were working to modify the Traffic Management Center’s platform. This initiative came after discovering that the existing system had been compromised by unidentified actors.
In June 2025, the website of the Meteorological Department at Beirut-Rafic Hariri International Airport (RHIA) fell victim to a hijacking that reportedly lasted for over nine hours. This followed a January 2024 breach at the airport, where a cyberattack displayed political messages on screens and disrupted baggage conveyor belts.
To date, no official entity has disclosed whether critical data, including airport operations, flight details, or passenger information, was compromised during these incidents.
Beyond these high-profile cases, individual users and government websites have been repeatedly targeted. Attack reach even extended to private Lebanese entities, such as Middle East Airlines (MEA), Lebanon’s national airline.
Despite this alarming track record, the Lebanese government has failed to take any public measures to secure telecom networks or investigate these incidents and the extent of Israeli exploitation of local infrastructure.
Deals Compromising Data Security and Digital Sovereignty
Numerous concerns have been voiced regarding agreements finalized or proposed by Lebanese authorities and ministries that blatantly disregard user privacy and data security. The Starlink deal, the introduction of e-wallets, and telecom monitoring software serve as prime examples in this regard.
Starlink
While Lebanese residents endured peak suffering during wartime, the Lebanese government pushed through a decision to expand the licensing of Starlink services during a Cabinet session held on March 5, 2026. The government gave more entities access to Starlink, bypassing previous security caveats that required Lebanese security agencies to have access to the regulatory infrastructure.
SMEX addressed a series of inquiries to the Ministry of Telecommunications, which, in turn, failed to respond to concerns regarding the resulting security risks. The Ministry also remained silent on the entity responsible for user data, knowing that such data that was originally intended to route through a security control center in Qatar (the facility that was not expected to be operational before May).
The government decision, thus, permits use of the service even in the absence of a security control center. It hollows out surveillance and protection guarantees and constitutes an unprecedented surrender of user data. Furthermore, given the absence of an effective security center and oversight, the new government decision fails to meet international digital rights standards, which stipulate that any surveillance or data access must be “lawful, necessary, and proportionate.”
Initially, the deal was contingent on a data center in Qatar, through which Lebanese security agencies could monitor data traffic. However, in its latest session, the government abandoned this condition, meaning that citizen data is now linked to and exposed before U.S. authorities, with a clear exclusion of Lebanese security agencies from the process.
Oracle
The Minister of State for Technology and Artificial Intelligence, Kamal Shehadi, announced an undisclosed strategic Memorandum of Understanding (MoU) between the Lebanese government and U.S.-based Oracle. The agreement, dated December 2025, aims to provide training to 50,000 individuals.
The agreement was framed as a “free gift” and portrayed as a ministerial achievement. However, its utility with regard to Lebanon’s digitalization plans remains unclear, especially since most of Oracle’s training programs focus exclusively on the company’s proprietary products and software.
The most significant challenge posed by this agreement is the adoption of a new, U.S.-sourced infrastructure for training and business. The risks extend beyond privacy violations, for Lebanon will have to adopt the very infrastructure Oracle is offering to train Lebanese citizens on for free. As such, no tangible guarantees can be provided regarding the fate of the data collected.
Oracle is well-known for its corporate capitalist nature that prioritizes profit maximization above all. Recently, the company saw a notable decline in its financial performance due to setbacks in its Artificial Intelligence ventures. This decline drove tech giants to seek expansion into smaller markets, particularly in the Global South, with a view to harvest valuable data and regain their competitive edge.
E-Wallets
Since 2019, 19 financial firms have been granted licenses from the Central Bank of Lebanon (BDL) to launch e-wallets. However, contrary to common international practice, Lebanon’s two main mobile operators, Alfa and touch, were not among these firms. Former Telecommunications Minister, Johnny Corm, fabricated obstacles stripping the two operators of the right to establish these wallets. E-wallets were, rather, placed under the control of private financial institutions.
For any firm to establish an e-wallet, it would require access to Alfa and touch’s customer databases. This sensitive information would fall into foreign hands, posing a significant threat to the data and its owners.
As a result of this decision, users’ sensitive financial and personal data is transferred to entities that may not be fully subject to Lebanon’s legal and regulatory frameworks. Without clear guarantees, laws, or regulations regarding data localization, security, and oversight, this move risks violating user privacy and weakening Lebanon’s control over its financial infrastructure.
Licenses granted by the Central Bank provide, as well, legal protection for the foreign company, increasing risks rather than mitigating them.
Astellia
Today, Lebanese security agencies rely on the “Astellia” monitoring system, which mobile operators use as a network performance tool. Such a maneuver allows collection of identifying information and personal data under the guise of maintaining service quality.
Sources previously revealed to SMEX that Lebanese security agencies already possess a telecom interception system. However, internal disputes among the four major security branches over who would manage the system led them to take “the path of least resistance” by accessing data directly through the mobile operators.
Conclusion and Recommendations
With the continuation of Israel’s war on Lebanon, which has exposed technological and cybersecurity vulnerabilities, security and data protection have taken on an urgent sovereign dimension no less important than the military fronts.
Existing flaws have exacerbated since the start of the war, particularly given the absence of clear contingency plans to overcome cyber crises or network disruptions. This deterioration is not, however, a sudden occurrence but a result of a chronic fragility characterized by weak digital infrastructure, a lack of strategic planning, and a failure to build an integrated cybersecurity ecosystem.
While the war has exposed the depth of these gaps, the Lebanese government speaks of ambitious digital transformation plans, AI-driven strategies, and dismantling illegal internet networks. But how can a country achieve these goals without a solid digital foundation?
Reform must begin by addressing the foundations, primarily the legal, institutional, and technical frameworks for data protection and privacy. Urgent legal reforms are clearly required, including the adoption of a comprehensive new law focused on personal data protection.
This must be accompanied by strict technical measures, commitment to data protection protocols, and the reinforcement of transparency and accountability, to be implemented whenever e-platforms collect personal data.
Lebanon urgently needs to reinforce its telecommunications infrastructure to guarantee residents reliable, secure, and high-quality access, especially in times of crisis. That means upgrading aging networks, hardening systems against disruption, and adopting governance frameworks built on transparency and accountability.
At the same time, authorities must move beyond rhetoric to implement a modern, functioning national cybersecurity strategy. Strengthening data management systems, investing in cybersecurity capacity, and committing to full transparency when breaches occur are no longer optional, they are essential to public trust.
More broadly, the government needs a coherent vision for the technology sector. That begins with clearly defining the mandates of ministries and regulators, then setting priorities for critical infrastructure, from data governance to cyber defense. Any strategy must be grounded in internally consistent local realities and designed to deliver measurable results.
As for “donations,” and “training programs,” the government should practice extreme caution. Every offer must undergo a rigorous impact assessment concerning security, privacy, and data protection, alongside an audit of the involved companies’ records, their legal jurisdictions, and the laws governing them. On another hand, Lebanon must carefully navigate the global tech and AI market, drawing on international experiences to strengthen its digital environment and strengthen its digital sovereignty.
On a technical level, vulnerabilities in government IT infrastructure highlight the need for regular updates to software, operating systems, and applications, as well as continuous monitoring and immediate patching of flaws. Moreover, the lack of cybersecurity and privacy awareness among public employees implies the need for periodic training focused on best practices and mechanisms to report suspicious activity.
Finally, Lebanon’s excessive reliance on closed-source technology must be reconsidered at a time when the world is gradually shifting toward open-source software, as seen in Denmark, France, and elsewhere. It might prove useful for Lebanon to follow this orientation, given its cost-effectiveness and adaptability to local needs. Lebanon could launch a national program in partnership with the Lebanese University and private universities to develop open-source software, with localized data retention, processing, and protection, as an integral component of national security.
Finally, with regard to incident response readiness, it is important to develop and periodically update integrated emergency and response plans. Network security should also be strengthened through the adoption of firewalls, encryption, and continuous network activity monitoring.
Addressing these challenges requires a holistic approach that combines a deep understanding of risks, as well as a commitment to keeping pace with technological evolution through relevant strategies. Collaboration with cybersecurity experts is needed, as they possess a solid understanding of the intersection between human rights and their respective fields. Lebanon must draw on successful global experiences and prioritize the security and privacy of its people.
A Fractured Telecommunications Sector
During the current war with Israel, the telecom sectors witnessed the same fate as during the September 2024 war, which claimed the lives of thousands of Lebanese residents.
In both cases, the Lebanese Ministry of Telecommunications failed to establish a contingency plan to address the country’s dire pre-war internet and connectivity situation. The dereliction persisted despite over a year and a half of demands following the September 2024 war, and months of warnings leading up to the present war, not to mention that emergency planning should be a peacetime endeavor in anticipation of crises.
*It is worth noting that Alfa, Touch, and Ogero stations are still suffering from significant damage sustained during the 2024 war and have not been fully repaired. That is the main cause behind the poor internet service (or its total cut-off) in South Lebanon, which was weak even before the war. Paradoxically, the two mobile operators, Alfa and Touch, activated “Data National Roaming” just before the onset of the Israeli war in early March. This service allows subscribers to automatically connect to the other company’s network in the event of a signal loss.
Today, the sector faces multiple challenges, most notably displaced people’s limited access to the internet. High service costs—on top of already poor quality—restrict connectivity, while heavy demand in “safe” areas and displacement centers further strains networks.
To stay connected, displaced people have improvised solutions. Some power devices with car batteries, while others try to access Wi-Fi from nearby shops. Meanwhile, touch has introduced a “solidarity” bundle that offers lower-cost data. Still, providers need to extend grace periods before cutting off lines and improve network quality to meet urgent needs.
Such obstacles impact people’s ability to communicate, check on loved ones, follow the news, and work or study remotely. In addition, the role of the internet and electronic devices in providing entertainment is no less important, especially during times of war.
Access to these tools is a right; their absence directly undermines freedom of expression and communication and obscures the narratives of a people living under the weight of war and displacement.
Building on these observations, SMEX addressed a series of questions to the Ministry of Telecommunications, which provided brief responses devoid of technical substance. Among the unanswered queries were those looking into securing internet access in areas with high population density due to displacement, the possibility of expanding the network, and whether mobile base stations would be deployed.
The Ministry also provided no details regarding its plans to support remote learning, whether free routers would be provided in shelters, or whether line validity will be extended or free bundles will be provided for emergency crews, journalists, and frontline workers.
Ministry sources reported to SMEX that since the onset of the war, intensive daily meetings have been held to manage a “national emergency plan.” However, reality has shown us that such initiatives remain a secret plan, of which the nature and details cannot be disclosed.
Meanwhile, residents continue to receive daily threats and evacuation notices via messages and calls. In an interview with SMEX, one resident who had received such a call revealed that when he contacted the relevant security authorities to report the number, he was met with a dismissive, mocking response: “If they told you to leave, just leave.”
Who is, then, responsible for regulating and addressing these calls? This question prompts broader speculation regarding data privacy in all its forms: Who is protecting the data of the Lebanese people, and how was it leaked on such a massive scale?
