Rebecca* is a European freelance journalist. Last year she went to Bahrain for an indepth investigation . Although she was careful with her online communications, a malicious hacking jeopardised her story and follows her to this day. In her own words, Rebecca tells her story and offers a warning to any journalist looking to investigate influential or powerful companies.
It all started with rumours
The story idea came to me in 2015. I had heard about a recruitment agency that offers jobs in Gulf countries (namely Bahrain and Saudi Arabia). The agency was working in my country, as well as Albania and other Eastern European countries, North Africa (Tunis and Algeria) and South Asia.
The agency was charging women $2000 to find jobs for them, which I found strange. But then there were also rumours that women who found jobs through this agency had disappeared. I was hearing stories about girls who got ordinary jobs (as flight attendants, for example), would then take special leave to work for some Sheikhs. Some of them were invited to attend special parties thrown by Gulf royalties, but then disappeared. There was one girl who allegedly tried to leave the country but was pulled off the plane at the last minute and was not heard of again.
These were all rumours but I felt they merited an investigation. I wanted to learn more about this agency, who was behind it, and I wanted to find out what happened to those girls.
I decided to work in secret, so I didn’t seek a commission from any media before embarking on the investigation, which meant I was working all alone and without backing. I also decided to go to Bahrain. My country doesn’t have an embassy there and the closest diplomatic representation is in Kuwait.
I was very careful with my online communication. I knew a lot about internet security so I kept two computers and two phones, unconnected to one another.
Going undercover
I sent an application to the agency and landed a job as a flight attendant with the Bahraini airlines. When I arrived in Manama, I discovered that the head of the agency in my country wasn’t the actual director and that it was lead by someone else.
The entire structure of the agency was vague and I worked in secret for six months, cultivating sources and obtaining sensitive documents. I found out that the agency was operating illegally. They were illegal in my own country and they were not registered in the countries where they worked (including Tunis and Algeria). I discovered that the agency was often contacted by Sheikhs wanting to recruit women -- the jobs were not clearly specified but some women agreed to take leave from their ordinary jobs to take royal posts.
Given the sensitivity of the story, I was very careful with my online communication. I knew a lot about internet security so I kept two computers and two phones, unconnected to one another.
For example, I had two email accounts and I would open each one of them on one computer only but not the other so if they managed to hack one account, they couldn't access the other one. I used two-factor-authentication for both emails, of course. With the phones, I had one smartphone which was “visible”, and another basic one for communication with my contacts. I thought I was being very careful.
I also kept to myself and behaved well in order to stay out of trouble. Although there is alcohol and prostitution in Bahrain, it is still illegal so I avoided anything that could draw any suspicion. I avoided going to parties or inviting people to my place. I also avoided going out with men alone. The head of the company in Bahrain tried to hit on me a few times but I avoided him.
I cultivated more sources, obtained more documents, and was able to get access to people in high positions in Bahrain and Saudi Arabia.
But six months on, as I got closer to the truth, I got hacked.
I was horrified to find there were profiles with my name and number on “adult-dating” sites. The hackers used my name and telephone number and started chatting with other guys pretending to be me posing as a sex worker.
Stolen identity
I cannot be sure the exact moment my email and social media accounts were hacked but it may have been one of many documents that I received and downloaded on my smartphone. I realised later that the hackers accessed my emails so they read everything and knew that I had obtained important documents about the company.
I started suspecting that I was hacked because my phone battery was dying very quickly. Then, more people started following me on social media like Instagram and Facebook although I was not active on either account. People would add me, and more men were sending “friendship requests” from my home country.
Once, while I was on a flight to Europe, I opened my Facebook account and discovered that someone was also using it in India. So I quickly saved as many emails as possible.
Then, I started to receive strange messages on Whatsapp. Strange men would send me love messages with phrases like “lot of hugs” and “kisses” and pictures of hearts! These men were surprised when I asked them where they got my number from because they thought I was chatting with them on other websites. When I asked them to send me screenshots of the alleged chats, I was horrified to find there were profiles with my name and number on “adult-dating” sites. The hackers used my name and telephone number and started chatting with other guys pretending to be me posing as a sex worker.
I also searched for my photos on Google and found them published on sites without my knowledge. My first reaction was to make it categorically clear to these men that I have been hacked and that someone had created fake accounts without my knowledge.
Then, I started receiving emails from porn websites and companies selling sex toys. This wasn’t just spam email, it looked as if I had deliberately subscribed to these websites as a customer. So imagine if the authorities got access to my email and found these sites!
I felt exposed because I was working alone without editorial support and because there was no embassy for my country in Bahrain. I contacted the nearest ambassador in Kuwait and he warned me that, unless I leave the country, I could be charged with prostitution or someone could plant some incriminating evidence in my apartment while I’m out.
They had filed a lawsuit against me, alleging that I was sending threatening messages to the manager. They even accused me of sending threatening messages to the kindergarten where his son used to go
Going to the police
By now I realised that the agency was well connected in Bahrain and so I was worried about going to the police. But I still needed an official letter to confirm that I was hacked so I decided to go to a small police station instead of the main police headquarters.
Luckily, there was a female police officer on duty and she was sympathetic to my situation. I filed a complaint that my accounts have been hacked, and she gave me an official police report to use as a document in case I needed to defend myself against any allegations of prostitution.
But then, the hackers went one step further…
I got an official letter from a lawyer in my own country, who said he represented the owner of the agency. They had filed a lawsuit against me, alleging that I was sending threatening messages to the manager. They even accused me of sending threatening messages to the kindergarten where his son used to go…. In Bangkok! I scanned the police report and sent it to the lawyer as proof that I had been hacked and that any threatening letters were actually written by someone else.
I thought this would buy me some time to leave the country.
Trapped for two months
Although this is difficult to prove with clear-cut evidence, I believe the agency used its contacts in Bahrain to stop me from leaving the country.
More than once, I would book a flight to leave Manama, but when I arrived at the airport they would tell me the flight was overbooked. Once, I booked a ticket only three hours before departure, thinking this wouldn’t give them enough time to tamper with my booking. But when I arrived at the airport, the Bahraini authorities refused to let me board the plane because I didn’t have a visa to Kuwait. I knew this was just an excuse because I already had a GCC ID card and with my European passport I should have been able to travel. I quarrelled with the men at the airport but they still sent me back.
Then, I decided to do things differently. As a flight attendant, I had access to an international portal where I could buy cheap tickets and this portal was not connected to the government. So I applied for a ticket through the portal right before I left. Then, the moment I arrived at the airport I went through Qatari airlines instead of Bahraini airlines and that’s how I got home.
A lot of journalists out there don’t pay as much attention to online safety as they do to their physical safety. They don’t realise that cyber security isn’t just about protecting them, but about protecting their sources too.
Aftermath
Once I was back home, I took my computers and mobile phones to IT experts to find out how much was hacked and compromised. I had a Samsung phone which I now realise is easier to hack than an IPhone and, as I suspected, it seems that the hacking virus was in one of the documents sent to me during the investigation. But I don’t know exactly how much information (names, numbers, data) they managed to pull from my phone.
The lawyer of the agency kept chasing me for four months after I returned home, so I had to hire a lawyer to handle the case. So far, no charges have been pressed against me but I am wary of travelling to any country where this agency operates. Needless to say, I cannot go back to the Gulf anytime soon.
I didn’t manage to finish the story because I realised this was much bigger than I could handle and in the end I passed my research on to another journalist because it was just too big for me.
But there was one little success for me. I did report this company to the police in my country and now they cannot work there anymore.
I’ve become more careful about cyber security, I took three more courses since then. When I go online I work in “incognito” mode so no one can track the sites that I access. I don’t use whatsapp anymore and prefer MeetJitsi and try not to type too much, I get the information verbally and then double check from other sources.
I’m telling my story because a lot of journalists out there don’t pay as much attention to online safety as they do to their physical safety. They don’t realise that cyber security isn’t just about protecting them, but about protecting their sources too. What happened to me could happen to another journalist and they might be as lucky and manage to leave the country.
*Name has been changed to protect the identity of the reporter. She is currently back in her home country in Europe.
