teudat zeut israeli id.
(photo credit: Ariel Jerozolimski)
Israelis are rightly incensed by the recent announcement that a contract worker
at the Ministry of Social Affairs and Social Services has copied all their
personal details and made them freely available on the
Biometric registry slammed in light of personal info theft
'Contract worker stole all Israelis' personal information'
According to media reports on the incident, the Justice
Ministry has freely admitted that the significance of the exposure is
On top of loss of privacy, the ministry has said that the breach
includes economic and, most worryingly, physical security. There can be no
higher impact of such an incident that puts at risk the physical security of
over nine million Israelis – presumably including Israelis living
The thief’s intention was apparently to sell the information;
the data, however, has somehow been exposed to anyone with Internet
This kind of security breach can be devastating.
on the nature of the exposed personal data, it could be used for nightmare
scenarios – from planning terrorist and assassination attacks, to blackmailing
individuals, to committing acts of treason.
Criminals could also use the
exposed information for extortion purposes.
Indeed, even a simple list of
names, addresses and telephone numbers can provide the ability to burgle
temporarily empty properties or commit financial scams.
So, how did this
happen? A clue can be found in the fact that when Israel joined the Organization
for Economic Cooperation and Development – an international agency that seeks to
stimulate world trade – one of the criticisms it received in the OECD assessment
was the deficiency of controls within Israeli organizations.
The Bank of
Israel responded that these controls would be tightened up, but what the BoI
didn’t say was that this would incur a huge effort and cost.
In the UK
and US, government organizations and financial companies spend enormous budgets
on their information security departments, precisely to mitigate the risk and
subsequent effect of such an incident. One single exposure incident can bankrupt
Israel is usually adept at handling crises – but far from
impressive in the planning department. The “Start-Up Nation” is extremely quick
to implement initiatives, but tends to take risks and shortcuts.
that involves a small entrepreneurial company, the worst that happens is that it
folds. But when it happens to the custodian of information for nine million
people, it’s a whole new ball game. Preventing information security incidents
requires specialists with experience in the industry.
There must be an
investigation into the security controls, or lack thereof, in government
This is not the first security-exposure incident in recent
times. The previous unauthorized release of classified IDF documents to a
reporter by Anat Kamm in 2008 may have been more “low-tech” than the
current incident, but highlights the same casual attitude to
The key problems that can cause incidents like this are
inappropriate use of contract staff, too much power given to individuals,
insufficient supervision and inability to spot data leaving a secure
Israel has excellent security products that are designed to prevent
data leakage. But security software isn’t a magic wand – government departments
need a complete review of their approach to data security, otherwise a similar
incident will almost certainly recur.
Michael Ordman is a Certified Information Systems Security Professional (CISSP)
He also writes a regular blog for
The Jerusalem Post and a weekly newsletter containing Good News stories about Israel.