Beginning on February 14, 2023 - the twelfth anniversary of Bahrain’s Arab Spring uprising - a hacktivist group identifying itself as Al-Toufan (“The Flood”) launched a sustained, multi-wave campaign against Bahraini government infrastructure. The first wave took Bahrain International Airport, the Bahrain News Agency (BNA), and the Chamber of Commerce offline, while simultaneously defacing the website of Akhbar Al Khaleej, one of Bahrain’s oldest Arabic-language newspapers.
- critically - exfiltrated and publicly released passport scans of American citizens and a senior Russian diplomat stationed in Bahrain, along with diplomatic card renewal requests containing full personal identifiable information. The Bahraini government confirmed the attacks but denied any data loss. A third wave across 2023-2024 targeted the e-visa service with website defacement, though authorities claimed no visa applicant data was compromised.
Key Facts
- WhatMulti-wave hacktivist campaign with DDoS, defacements, and data theft.
- WhoBahrain airport, ministries, news agency, and foreign diplomats.
- Data ExposedUS and Russian diplomatic passport scans and accreditation documents.
- OutcomeGovernment denied data loss despite public evidence; no enforcement.
What Was Exposed
The Al-Toufan campaign represents a hybrid threat model that combined volumetric disruption (DDoS), propaganda operations (defacement), and targeted data exfiltration across multiple distinct attack waves. The most consequential exposure occurred during the November 2023 wave, where the group published verifiable documents containing sensitive personal data of foreign diplomats and their dependents.
- Passport scans of American citizens resident in or transiting through Bahrain, containing full names, passport numbers, dates of birth, nationalities, photographs, and machine-readable zone (MRZ) data - sufficient for identity fraud and travel document forgery
- Passport documentation of a senior Russian diplomat stationed at the Russian Embassy in Bahrain, exposing the identity and posting details of an accredited foreign service officer - a significant counterintelligence concern
- Diplomatic card renewal requests containing personal details, accreditation status, posting duration, and potentially family member information for diplomats and their dependents
- Disruption of Bahrain International Airport web services during Wave 1, potentially affecting flight information, booking services, and passenger-facing digital infrastructure
- Compromise and defacement of the Bahrain News Agency (BNA), the kingdom’s official state news wire, undermining information integrity during a politically sensitive period
- E-visa service defacement in Wave 3, raising questions about the security of visa applicant databases containing passport data, travel histories, biometric photographs, and contact information of foreign nationals seeking entry to Bahrain
The diplomatic passport leak is the most significant element of this campaign from a data protection perspective. Diplomatic documents are among the most sensitive categories of personal data processed by any government - they identify individuals who may be intelligence officers under diplomatic cover, reveal bilateral diplomatic relationships, and expose individuals to targeted surveillance, harassment, or physical threats.
The publication of American and Russian diplomatic passport scans on public channels transformed what could have been a routine hacktivist disruption campaign into an international incident with intelligence implications.
The Bahraini government’s response - confirming the attacks while denying data loss - is a textbook example of cognitive dissonance in breach response.
When the leaked documents are verifiable and publicly accessible, denying their existence erodes institutional credibility faster than the breach itself. This response pattern is particularly damaging in the diplomatic context, where the affected governments (the United States and Russia) have independent means to verify whether their nationals’ documents were compromised.
The operational pattern of Al-Toufan warrants analysis beyond the individual incidents.
The group demonstrated the ability to sustain operations over more than a year, with each wave showing escalation in both technical sophistication and political targeting.
Wave 1 was primarily disruptive (DDoS and defacement). Wave 2 incorporated data exfiltration and publication - a qualitative escalation that requires deeper network penetration, data identification, and operational infrastructure for leak distribution. Wave 3 maintained persistent access to government-facing services.
This escalation ladder is characteristic of groups with sustained sponsorship or organizational infrastructure, not ad hoc hacktivist collectives.
The geopolitical context is essential for understanding the threat model. Al-Toufan’s operations align with the strategic interests of Iran-aligned actors in the region:
the Arab Spring anniversary timing references the Shia-majority population’s grievances against the Sunni-led monarchy, while the November 2023 escalation directly responded to Bahrain’s foreign policy alignment with Israel and condemnation of Hamas. Whether Al-Toufan operates independently, receives direction from state-aligned entities, or functions as a front for a more capable actor remains unconfirmed - but the operational tempo, escalation pattern, and target selection suggest capabilities beyond typical hacktivist groups.
The choice to publish diplomatic documents rather than citizen or government employee data reveals a calculated strategic logic. By exposing foreign diplomatic PII, Al-Toufan created consequences that extend beyond Bahrain’s domestic politics: it damaged Bahrain’s credibility as a secure posting for foreign diplomatic missions, forced the United States and Russia to reassess the security of their in-country diplomatic communications, and demonstrated that Bahraini government systems cannot adequately protect the most sensitive categories of entrusted data.
This is information warfare in its most precise form - using data exposure as a strategic lever to undermine trust in state institutions.
Regulatory Analysis
Bahrain’s Personal Data Protection Law (PDPL), enacted as Law No. 30 of 2018 and effective since August 2019, establishes a comprehensive framework for the protection of personal data. The Al-Toufan campaign tests this framework across multiple dimensions: government-held data, diplomatic records, cross-border data obligations, and the adequacy of breach notification procedures.
Article 2 of the PDPL defines its scope to include any processing of personal data carried out by a natural or legal person in the Kingdom of Bahrain. Government ministries and agencies are not exempted from this scope, meaning the Foreign Ministry’s processing of diplomatic documents, the Information Affairs Ministry’s operations, and the e-visa service’s processing of applicant data all fall squarely within the PDPL’s jurisdiction. The question is not whether the PDPL applies but whether it was enforced.
Article 8 requires data controllers to implement appropriate technical and organizational security measures proportionate to the sensitivity of the data processed. Diplomatic passport scans and accreditation documents represent some of the most sensitive personal data categories imaginable - they identify individuals who serve in official government capacities abroad and whose exposure may create physical security risks.
The fact that these documents were exfiltrated and published suggests that the Foreign Ministry’s technical security measures were manifestly inadequate for the sensitivity of the data they were entrusted to protect. A ministry that processes diplomatic credentials should maintain security controls at least equivalent to classified information handling standards, including air-gapped storage for biometric documents, strict access controls, and real-time monitoring of any access to diplomatic record databases.
Article 12’s breach notification requirements are directly engaged by the Wave 2 data exfiltration. The publication of passport scans and diplomatic card renewal requests constitutes an unambiguous personal data breach under any reasonable interpretation of the PDPL. The government’s denial of data loss, in the face of publicly accessible leaked documents, raises serious questions about whether notification obligations were fulfilled - either to the Personal Data Protection Authority or to the affected foreign nationals whose passport data was compromised.
Under Article 12, the obligation to notify arises upon becoming aware that a breach has occurred, not upon the controller’s willingness to acknowledge it.
The cross-border dimension introduces additional complexity. The affected data subjects include American and Russian citizens whose personal data was processed by Bahraini government entities. While the PDPL does not establish the same robust cross-border transfer mechanisms as the EU’s GDPR, the international diplomatic implications of exposing foreign nationals’ data create de facto obligations that transcend the PDPL’s territorial scope.
The United States government, in particular, has established expectations for the protection of its nationals’ data by foreign governments, and the exposure of American passport scans by a hacktivist group exploiting Bahraini government systems has bilateral diplomatic consequences that no domestic data protection law can fully address.
The maximum penalty under the PDPL - BD 20,000 (approximately $53,000 USD) - is a rounding error in the context of a multi-wave campaign that compromised multiple government ministries, exposed diplomatic credentials, and damaged Bahrain’s international reputation as a secure diplomatic posting. No public enforcement action has been reported against any government entity involved in the Al-Toufan incidents.
This pattern of non-enforcement against government bodies creates a two-tier regulatory system where the PDPL functions as a constraint on private-sector data processing while remaining effectively unenforceable against the state entities that process the most sensitive categories of personal data.
What Should Have Been Done
The multi-wave nature of the Al-Toufan campaign means that the Bahraini government had multiple opportunities to harden its infrastructure after Wave 1 and prevent the more damaging Waves 2 and 3. The failure to do so suggests either inadequate incident response processes, insufficient investment in remediation, or a fundamental underestimation of the threat actor’s persistence and escalation trajectory.
After Wave 1 in February 2023, the government should have immediately conducted a comprehensive security assessment across all internet-facing government infrastructure.
When a threat actor successfully disrupts multiple government websites simultaneously, the correct assumption is that additional access vectors exist and that the group will return. A full audit of all government web applications, APIs, and public-facing services should have been completed within 30 days of the initial wave, with prioritized remediation of any critical or high-severity vulnerabilities. This assessment should have included penetration testing of the Foreign Ministry’s systems, given the politically motivated nature of the campaign and the sensitivity of diplomatic data.
Diplomatic records - including passport scans, accreditation documents, and visa applications - should never be accessible from internet-facing systems.
These documents should be stored in isolated, air-gapped environments with strict role-based access controls, multi-factor authentication, and comprehensive audit logging of every access event. The document management system should implement data-at-rest encryption with hardware security module (HSM)-managed keys, ensuring that even if an attacker breaches the network perimeter, the documents remain encrypted and inaccessible without the corresponding cryptographic keys.
The fact that Al-Toufan was able to exfiltrate readable passport scans suggests these documents were stored in plaintext or in systems accessible from the compromised network segments.
DDoS mitigation should have been deployed across all government web properties following Wave 1. Commercial DDoS mitigation services from providers such as Cloudflare, Akamai, or AWS Shield can absorb volumetric attacks that would otherwise overwhelm government-hosted infrastructure. For critical services like airport information systems and news agencies, always-on DDoS protection (rather than on-demand scrubbing) should be the baseline configuration.
The fact that Wave 2 and Wave 3 were still able to take government sites offline months after the initial attacks suggests that no meaningful DDoS mitigation was implemented between waves.
Web application firewalls (WAFs) with virtual patching capabilities should have been deployed to protect against the exploitation techniques used for website defacement and data exfiltration. The e-visa service defacement in Wave 3 is particularly concerning because visa application systems process structured personal data (names, passport numbers, travel histories, biometric photos) that is far more valuable than the website content itself.
A properly configured WAF with behavioral analysis rules would detect and block the anomalous request patterns characteristic of SQL injection, file inclusion, and other web application exploitation techniques typically used in defacement campaigns.
The government should have established a centralized security operations center (SOC) with unified visibility across all government ministry networks. The Al-Toufan campaign exploited the fact that each ministry likely operated its own IT infrastructure with inconsistent security controls and no centralized monitoring.
A national government SOC would provide the correlation capabilities needed to detect a campaign targeting multiple ministries simultaneously, enable coordinated incident response, and ensure that lessons learned from each wave are immediately applied across all government entities. Bahrain’s National Centre for Cyber Security (NCCS) should have served this function, but the multi-wave success of Al-Toufan suggests its operational capabilities were insufficient to protect the government attack surface.
Finally, the government’s public communications strategy should have been honest and transparent. Denying data loss when leaked documents are publicly verifiable does not protect national security - it accelerates reputational damage and undermines citizen and international trust in government institutions.
A credible incident response communication should have acknowledged the breach, detailed the scope of affected data, described the remediation measures being implemented, and offered concrete assurances to the affected foreign nationals whose diplomatic documents were exposed. The diplomatic community expects professionalism in breach response, not denial.
The Al-Toufan campaign demonstrated that sustained hacktivist operations can achieve strategic impact against a nation-state when that state fails to learn from each successive attack wave. The exfiltration and publication of diplomatic passport scans transformed a hacktivist disruption campaign into an international incident with intelligence and foreign policy consequences. Under Bahrain’s PDPL, the government’s denial of data loss - contradicted by publicly available evidence - represents a failure of both breach notification obligations and institutional accountability.
The BD 20,000 maximum penalty is irrelevant when the regulator declines to act against the state entities it is mandated to oversee.