Lebanese security forces recently arrested a man on espionage charges. Under investigation, he admitted to breaching three organizations and passing the collected data to a foreign intelligence service: a mobile operator, the car registration authority, and one of the country's largest food delivery platforms.

When asked how long it took to gain access to each system, he said under three minutes.

That's the sentence worth sitting with.

Three minutes

Not three months of reconnaissance. Not a sophisticated exploit. Not a team working in shifts. Three minutes. Per target.

What takes three minutes? Guessing a weak password. Finding an admin panel exposed on the internet with default credentials nobody changed after installation. Exploiting an unpatched login page that any basic security scanner would flag. These are not advanced attacks โ€” they're beginner-level mistakes that automated tools catch on the first pass.

The fact that they worked on a mobile operator and two other large platforms doesn't mean the attacker was good. It means the systems were obviously, trivially vulnerable. And nobody was watching closely enough to notice someone walking in.

What was in those databases

The phrase "personal information was compromised" gets used so often that it stops landing. Let's be specific about what each breach actually contained.

The mobile operator database: full name, national ID number, home address, phone number, call records, account details. Everything a carrier needs to know exactly who you are and how to reach you.

The car registration database: name, national ID, address, vehicle make and model, plate number. A record of who you are and what you drive.

The food delivery app: name, phone number, the home address you have deliveries sent to, payment method, full order history. A detailed map of where you live and your daily patterns.

Put those three together and you have a complete profile. Name, photo (the national ID links to one), home address, phone, car, movement patterns, financial behavior. Everything needed to locate, surveil, or impersonate a person.

If you have a Lebanese mobile subscription, a registered car, or ever ordered food delivery โ€” your data was in those databases.

What "collected the databases" means Not a few records. The whole thing. Every subscriber. Every registered vehicle. Every customer account. Exported and sent. The scale is everyone, not someone.

The part nobody's talking about

The spy got caught. Good. The coverage has focused on the espionage angle โ€” the foreign intelligence service, the national security implications, the individual who got arrested.

That's the wrong frame.

The bigger story is that two government databases and one of the country's most-used private platforms had security so weak that one person could breach all three in a morning. That's not a spy problem. That's an infrastructure problem. And catching the spy doesn't fix the infrastructure.

Your data got out. The person who took it got caught. The gap that let them in is probably still open.

There's been no public statement about what was taken or who is affected. No notification to the millions of Lebanese whose records were exported. No confirmation that the systems have been patched. The arrest closed the investigation. It didn't close the vulnerability.

What this means for your business

Two of the three breached organizations are government entities. They operate without competitive pressure and without meaningful accountability for security failures. That context explains, partially, how they got here.

But the food delivery app is private. Successful, well-funded, widely used. And it got hit by the same person with the same ease.

If you run a Lebanese business that holds customer data โ€” names, phone numbers, addresses, order history, anything โ€” one question applies directly: could this happen to us?

For most Lebanese SMBs, honestly, yes. Not because they're being targeted by foreign intelligence services. Because the same conditions that made those breaches trivial โ€” no one actively watching, no patching schedule, exposed admin panels, passwords that were set once and never changed โ€” describe most small business IT setups in the country.

The attacker in this case had specific targets and a handler. Random attackers don't. They scan everything that's accessible and take whatever they find. Your business doesn't have to be interesting to be compromised โ€” it just has to be reachable.

The question to actually ask

Not "are we being targeted?" The right question is: if someone tried, how far would they get?

For most businesses, the honest answer to that question is the beginning of an actual security posture. Last week we wrote about the fundamentals โ€” password managers, two-factor authentication, knowing who has access to what, moving client data off WhatsApp. None of that has changed. What this week adds is a concrete local data point about how real the risk is.

Not a theoretical worst-case. Not a warning from a security company trying to sell you something. A man in an interrogation room describing how he walked into three of Lebanon's largest data systems before lunch.

๐Ÿ’ก
First question to ask your team this week: What databases do we actually hold? Customer names and numbers, order history, supplier contacts, financial records โ€” list them. Then ask: who can access each one, and how? That list is your actual exposure. It takes an hour and almost always turns up something nobody realized was a problem.
#cybersecurity#lebanon#data breach#data security#privacy
SB
Written by
Said Bitar

Founder of 3S Coding. 25+ years building software across Lebanon, Romania, the UAE, the UK, and the United States. Now focused on building software for SMBs in the Middle East.

More about Said โ†’