In November 2025, the Clop ransomware group listed Zain Group - Kuwait's largest telecommunications operator and one of the Gulf region's most significant digital infrastructure companies - on its dark web leak site, claiming to have exfiltrated data through the exploitation of CVE-2023-34362, the critical SQL injection vulnerability in Progress Software's MOVEit Transfer managed file transfer platform.
Zain Group, founded in Kuwait in 1983 as Mobile Telecommunications Company, serves more than 50 million subscribers across seven countries: Kuwait, Saudi Arabia, Bahrain, Iraq, South Sudan, Jordan, and Sudan, generating annual revenues of approximately $5.6 billion.
Key Facts
- WhatClop ransomware exploited MOVEit zero-day to breach Zain Group telecom.
- Who50+ million Zain subscribers across seven countries in the Gulf and Africa.
- Data ExposedCustomer data, billing records, corporate information, and HR files.
- OutcomeListed on Clop leak site; part of global MOVEit campaign affecting hundreds.
What Was Exposed
- Customer data for 50+ million subscribers across Zain's seven-country footprint, potentially including names, national identity numbers, addresses, and contact details
- Billing records and payment history for Zain's consumer and enterprise customer base, potentially including credit card or bank account details used for bill payment
- Corporate customer data, including account details, contract terms, and usage data for Zain's enterprise division serving major Gulf and regional businesses
- Internal financial and operational data transferred through the MOVEit platform, potentially including revenue figures, cost data, and inter-subsidiary transfer documentation
- Human resources data for Zain Group's multinational workforce, potentially transmitted through MOVEit for payroll and HR administration purposes
- Network infrastructure documentation if technical files were transferred through the compromised MOVEit installation
- Regulatory compliance documentation and government relations data, given the sensitivity of Zain's licensing relationships with telecom regulators across seven jurisdictions
- Subscriber metadata including call records, data usage patterns, and location history to the extent these were processed through systems connected to the MOVEit infrastructure
The MOVEit Transfer vulnerability (CVE-2023-34362) that Clop exploited to access Zain Group's data represents one of the most consequential zero-day vulnerabilities of 2023. MOVEit Transfer is a managed file transfer (MFT) platform widely deployed in enterprise environments for the secure transmission of large files between organizations and their partners, suppliers, and regulators.
Financial services firms use it to transmit client data to auditors; healthcare organizations use it to share patient records with insurers; telecommunications companies use it to exchange subscriber data with roaming partners and to transfer operational data between subsidiaries. The platform's trusted status in enterprise environments - deliberately positioned as a "secure" file transfer solution - meant that data transmitted through MOVEit was often of exceptional sensitivity.
CVE-2023-34362 is a SQL injection vulnerability in MOVEit Transfer's web application layer that enables unauthenticated remote attackers to access the MOVEit database, modify data, and install LEMURLOOT - Clop's custom webshell - to enable persistent access and automated data exfiltration.
Clop appears to have developed or acquired knowledge of this zero-day vulnerability prior to its public disclosure, enabling the group to conduct a mass exploitation campaign against thousands of MOVEit installations worldwide during a brief window before the vulnerability was publicly known and patches were available. The group exploited the vulnerability at industrial scale, automating the compromise of MOVEit installations across multiple sectors and geographies simultaneously.
Zain Group's position as a telecommunications operator serving seven countries across three distinct regulatory regions - the Gulf Cooperation Council, the Arab world more broadly, and Sub-Saharan Africa - means that the regulatory implications of the breach extended far beyond Kuwait's domestic data protection framework. Each of Zain's operating companies is subject to the data protection laws and telecommunications regulations of its home jurisdiction.
A breach affecting data across all seven operating companies would simultaneously engage regulatory obligations in Kuwait (CITRA), Saudi Arabia (SDAIA's PDPL and CITC), Bahrain (PDPL and TRA), Jordan (TDRA and NISP), Iraq (CMC), South Sudan, and Sudan, creating a compliance challenge of extraordinary complexity.
The telecommunications sector holds a particularly sensitive category of personal data that extends well beyond what most other industries collect: call detail records (CDRs) capturing the time, duration, and endpoints of every communication made through Zain's network; location data generated by the continuous interaction of mobile devices with cell towers; SMS content (in some jurisdictions and system configurations); internet browsing metadata generated by data service usage; and financial transaction data from mobile money services operated by Zain's subsidiaries.
If the Clop compromise accessed systems connected to this subscriber data, the harm potential is fundamentally different from a typical corporate data breach.
Clop's operational model for the MOVEit campaign was distinctive from conventional ransomware operations. Rather than encrypting victim systems and demanding payment for decryption keys, Clop focused exclusively on data exfiltration through the MOVEit vulnerability and used the threat of public data publication as its sole extortion mechanism.
This pure extortion model reflects an operational evolution in which the group recognized that data theft and publication threats could be as financially productive as system encryption, while avoiding the operational complexity of deploying and managing encryption payloads at scale. For victims like Zain Group, this meant that operational disruption may have been minimal but data exposure risk was potentially severe.
The scale of the Clop MOVEit campaign - affecting hundreds of organizations globally, with total victim counts estimated in the thousands when including downstream customers of directly affected organizations - created a challenge for regulators and courts seeking to assign accountability for what was, in technical terms, a supply chain attack.
Organizations like Zain Group that used MOVEit as a trusted file transfer platform had limited visibility into the zero-day vulnerabilities that Progress Software's product contained, raising questions about the distribution of responsibility between software vendors, enterprise IT teams that chose to expose MOVEit to the internet, and the regulatory frameworks that define minimum security standards for critical data processing infrastructure.
Regulatory Analysis
Zain Group's breach by the Clop MOVEit campaign engages Kuwait's regulatory framework primarily through CITRA's role as both the telecommunications regulator and the data protection supervisory authority. As Kuwait's dominant telecommunications operator, Zain Kuwait operates under CITRA's telecommunications licensing regime, which imposes network security and customer data protection obligations as conditions of the operating licence.
A data breach affecting Zain Kuwait's subscriber data therefore engages both the data protection obligations under DPPR Decision No. 26/2024 and any security obligations embedded in Zain's telecommunications operating licence.
The 72-hour breach notification requirement under CITRA's DPPR Decision No. 26/2024 creates a specific procedural obligation that Zain Kuwait would have been required to fulfill promptly upon discovering that its MOVEit installation had been compromised.
The complexity of assessing the scope of a MOVEit breach - determining which files were exfiltrated through the SQL injection exploit requires forensic analysis of database transaction logs and network egress records - creates a tension between the 72-hour notification timeline and the time needed to develop an accurate assessment of the breach's scope.
CITRA's framework, like most comparable international frameworks, anticipates this tension by requiring notification within 72 hours of becoming aware of the breach rather than 72 hours after completing the forensic investigation, enabling iterative notifications as the scope assessment develops.
Zain's multi-country operations create a notification challenge of significant complexity. The parent entity's breach of its MOVEit installation may have involved data from subsidiaries operating under different regulatory regimes, each of which may have independent notification obligations to their respective regulators.
In Saudi Arabia, SDAIA's PDPL imposes notification requirements; in Bahrain, the PDPL and TRA have overlapping jurisdiction; in Jordan, the National Information Technology Center (NITC) and the Telecommunications Regulatory Commission (TRC) both have relevant oversight functions. Coordinating simultaneous notifications across seven regulatory jurisdictions, each with different requirements, timelines, and reporting formats, tests the limits of any organization's incident response capability.
Kuwait's E-Commerce Law No. 20/2014 provides an additional layer of security obligation relevant to Zain's digital service operations. Zain's customer portals, mobile apps, and online billing systems process personal and financial data in the course of electronic commerce transactions, engaging the security obligations established under this law for electronic service providers.
The compromise of systems through which this data flows - even if through a supply-chain vulnerability in a trusted file transfer platform rather than through direct compromise of the customer-facing systems themselves - constitutes a failure of the security obligations applicable to these electronic services.
The regulatory response to Clop's MOVEit campaign globally revealed a significant gap in the accountability framework for supply-chain vulnerabilities in enterprise software. Progress Software, the vendor of MOVEit Transfer, faced legal actions in multiple jurisdictions from organizations that suffered breaches through the zero-day vulnerability.
Kuwait's current regulatory framework does not address vendor liability for software vulnerabilities, creating an accountability gap that may discourage enterprise customers from pursuing legal remedies against software vendors whose products contain critical security flaws that enable large-scale data breaches.
What Should Have Been Done
The MOVEit zero-day represents a category of vulnerability that is, by definition, unknown at the time of exploitation and therefore impossible to patch before the attack. However, several compensating controls could have significantly limited the impact of a successful MOVEit exploitation on Zain Group's data environment.
Network segmentation and access restriction for the MOVEit Transfer installation would have been the most direct mitigation. MOVEit Transfer, as a file transfer platform, requires internet access to receive files from external parties but does not require unrestricted outbound internet access to function. Implementing strict egress filtering on the MOVEit server - allowing only specific, pre-approved outbound connections and blocking all other outbound traffic -- would have constrained Clop's LEMURLOOT webshell's ability to exfiltrate data to attacker-controlled infrastructure.
Clop's exfiltration methodology relies on the compromised MOVEit server being able to establish outbound connections to attacker infrastructure; egress filtering that requires all outbound connections to be explicitly approved would have blocked this exfiltration path.
Web application firewall (WAF) deployment in front of the MOVEit Transfer web interface, with SQL injection detection rules enabled, provides a layer of defense against the exploitation technique used by Clop. While WAF rules cannot catch every novel exploitation technique, the SQL injection vector used in CVE-2023-34362 could have been detected and blocked by a properly configured WAF with up-to-date rule sets.
ModSecurity with the OWASP Core Rule Set, or a commercial WAF solution, configured to inspect and filter traffic to the MOVEit web interface would have added a detection and blocking layer between the attacker and the vulnerable application.
A comprehensive software asset inventory programme is a prerequisite for rapid response to zero-day vulnerabilities in enterprise software. Organizations that maintain an accurate, continuously updated inventory of all software deployed across their infrastructure can immediately identify which systems are running a vulnerable product and prioritize patching accordingly. For Zain Group, with an IT estate spanning multiple countries and subsidiaries, maintaining this inventory requires a Software Asset Management (SAM) tool with centralized visibility across the entire group.
When Progress Software released the emergency MOVEit patch on May 31, 2023, organizations with comprehensive software inventories were able to identify and patch all vulnerable installations within hours; those without such inventories may not have identified all vulnerable systems until days or weeks later.
A third-party and vendor risk management programme specifically addressing critical enterprise software used to process sensitive data should have required Zain Group to maintain an up-to-date assessment of the security posture of Progress Software's MOVEit Transfer product.
This assessment should have included: review of Progress Software's security development lifecycle practices, subscription to Progress Software's security notification service for prompt receipt of vulnerability disclosures, and a contractual service level agreement with Progress Software requiring timely notification of security vulnerabilities affecting MOVEit. For a product deployed to process sensitive subscriber data for a 50-million-customer telecommunications group, this level of vendor security oversight is a minimum reasonable standard.
Data minimization principles should have governed what data was stored in or accessible through the MOVEit Transfer environment. If the MOVEit installation was processing files containing subscriber personal data, this data should have been encrypted at the file level before transfer through MOVEit, ensuring that files exfiltrated through the MOVEit vulnerability were encrypted with keys unavailable to Clop.
While this would not have prevented the exfiltration itself, it would have rendered the exfiltrated data useless to the attacker and dramatically reduced the harm caused to Zain's subscribers.
Zain Group's exposure through the Clop MOVEit campaign illustrates that for a telecommunications operator managing the personal data of 50 million subscribers across seven countries, a single vulnerable enterprise file transfer product can create regulatory exposure across multiple jurisdictions simultaneously. As CITRA's DPPR framework matures, Kuwaiti telecommunications operators must treat their entire software supply chain - not merely their core network infrastructure -- as a data protection risk requiring active management.