In May 2024, a threat actor operating under the alias “sentap” (linked to “Zestix” via threat intelligence correlation) listed a SQL database containing over 7 million patient records from a Saudi pharmaceutical health platform for sale on the Exploit cybercrime forum. The dataset, sourced from 2023 records, included full patient names, phone numbers, home addresses, payment methods, transaction details, and highly sensitive biometric and medical information such as blood type, height, weight, gender, pregnancy status, and breastfeeding status.
Key Facts
- What7 million patient records sold on Exploit forum by threat actor sentap.
- WhoPatients of a Saudi pharmaceutical health platform (up to 1 in 5 residents).
- Data ExposedNames, addresses, blood types, pregnancy status, and payment details.
- OutcomeOccurred during PDPL grace period; sentap linked to FunkSec RaaS.
What Was Exposed
- Full patient names linked to pharmaceutical transaction histories and medical profiles spanning the 2023 calendar year
- Phone numbers and residential addresses associated with patient registration and delivery records
- Payment methods and detailed transaction records, including purchase histories for pharmaceutical products and health services
- Biometric and physiological data including height, weight, gender, and blood type
- Reproductive health indicators including pregnancy status and breastfeeding status-classified as sensitive personal data under the PDPL
The scale of 7 million records is striking in the context of Saudi Arabia’s population of approximately 36 million. If the records represent unique individuals, this breach could affect roughly one in five residents of the Kingdom. Even accounting for duplicate entries and repeat customers, the exposure represents a significant proportion of the population that has interacted with the pharmaceutical health platform.
The inclusion of reproductive health data-pregnancy and breastfeeding status- elevates this breach beyond a conventional data exposure. In the cultural context of Saudi Arabia, the unauthorized disclosure of a woman’s pregnancy or breastfeeding status can have profound personal and social consequences. This category of data is among the most sensitive recognized under international data protection frameworks, and its appearance in a dark web listing intended for criminal exploitation represents a severe failure of the duty of care owed to patients.
The threat actor sentap has a well-documented operational profile across threat intelligence platforms. As an IAB active on the Exploit forum, sentap’s known methods include leveraging infostealer-derived credentials, exploiting misconfigured SFTP/FTP services, and selling initial access to larger ransomware groups. The connection to FunkSec RaaS operations is particularly concerning, as it suggests that sentap operates within a broader criminal ecosystem where initial access is monetized through multiple channels-direct database sales, ransomware deployment, or both.
The SQL format of the dataset and the 2023 date range suggest that sentap either gained persistent access to the platform’s backend database through stolen credentials or exploited a misconfigured asset that exposed database interfaces to the internet.
The Exploit forum’s paywall model, which requires forum points earned through community participation or purchased from established members, serves as a vetting mechanism that ensures only serious buyers gain access to the listing. This is not a casual data dump on a public paste site; it is a structured commercial offering within one of the most established Russian-language cybercrime ecosystems.
The paywall model also makes it more difficult for threat intelligence firms and law enforcement to monitor and acquire the data for analysis, reducing the likelihood of early detection and victim notification.
Regulatory Analysis
This breach occurred during the PDPL grace period, which ran from September 2023 until full enforcement on September 14, 2024. During this transitional window, organizations were expected to bring their data processing practices into compliance with the law, but SDAIA had not yet begun formal enforcement actions. The timing creates a regulatory gray zone: the breach represents conduct that would clearly violate the PDPL under full enforcement, but the formal penalty mechanisms were not yet operational at the time of the data’s appearance on the Exploit forum.
Under the now-active enforcement regime, the platform operator would face significant regulatory exposure. Article 23 of the PDPL addresses health data processing, while Article 1 defines sensitive data categories including health data as sensitive personal data, and the reproductive health indicators in this dataset-pregnancy and breastfeeding status-fall squarely within the most protected category.
Processing sensitive data requires either explicit consent from the data subject or a specific legal basis enumerated in the law, and the security obligations attached to sensitive data are correspondingly heightened.
Article 20 (breach notification) mandates notification to SDAIA within 72 hours when personal data is compromised in a manner that may harm individuals. The sale of 7 million patient records on a cybercrime forum unambiguously meets this threshold. Under current rules, the platform operator would be required to notify SDAIA, detail the categories and volume of data affected, and describe the measures taken to contain the breach.
The maximum administrative penalty of SAR 5 million could be imposed, though given the scale and sensitivity of the exposed data, supplementary enforcement actions including mandatory audits and operational restrictions would also be likely.
What Should Have Been Done
The platform should have implemented a credential security program that specifically addressed the threat of infostealer malware, which is sentap’s known primary attack vector. This includes mandatory multi-factor authentication (MFA) for all administrative and database access, certificate-based authentication for machine-to-machine connections, and continuous monitoring of dark web credential markets for any leaked credentials associated with the platform’s domains and email addresses.
Credential hygiene should have been enforced through automated password rotation, prohibition of password reuse across systems, and integration with threat intelligence feeds that flag compromised credentials in real time.
SFTP and FTP services, which are among sentap’s documented exploitation targets, should have been secured with IP allowlisting, key-based authentication rather than password authentication, and continuous monitoring for anomalous file transfers. Any file transfer protocol that exposes database contents or patient data should have been isolated from the public internet and accessible only through a VPN or zero-trust network architecture. Legacy FTP services should have been decommissioned entirely in favor of SFTP with enforced encryption.
Database security should have included encryption at rest and in transit, with column-level encryption for the most sensitive fields including reproductive health indicators. Database activity monitoring (DAM) should have been deployed to detect bulk extraction queries, and data loss prevention (DLP) controls should have flagged the exfiltration of a 7-million-row dataset.
Network segmentation should have isolated the patient database from internet-facing application servers, ensuring that even if an attacker compromised the web layer, lateral movement to the database tier would require bypassing additional authentication and monitoring controls.
When an Initial Access Broker with documented ties to ransomware operations sells 7 million patient records-including reproductive health data-on one of the internet’s most established cybercrime forums, it exposes the full chain of failure: from stolen credentials to unmonitored databases to the absence of any detection mechanism. The PDPL grace period may have shielded the operator from formal penalties, but it did not shield 7 million patients from having their most intimate health data monetized by criminals.