How Equifax’s data breach threatens Israeli security

US consumer credit company hack could provide intelligence data for Iran, says expert

CREDIT-REPORTING company Equifax Inc. corporate offices are pictured in Atlanta, Georgia, on September 8 (photo credit: TAMI CHAPPELL / REUTERS)
CREDIT-REPORTING company Equifax Inc. corporate offices are pictured in Atlanta, Georgia, on September 8
(photo credit: TAMI CHAPPELL / REUTERS)
Equifax, one of the largest American consumer credit reporting agencies, announced earlier this month that hackers had accessed the personal data of 143 million US, British and Canadian customers. That data breach not only affects Israelis with dual citizenship but harms Israeli banks and threatens the nation’s security.
It is likely that countries such as China and Russia are buying up the American-dominated data en masse. Meanwhile, a budding alliance between Iran and Russia in the Middle East could strengthen Iranian intelligence capabilities vis-a-vis Israel.
“So Iran could buy up the data and hire allied-Russians to do this. I’m sure they are doing this already. This is not Israeli data, this is American data, something that will help them target Israel,” said Gartner Research security analyst Avivah Litan.
Attackers hacked Equifax in May 2017, using a web-application vulnerability that had a patch issued in March. That means the company had two months to download precautions to prevent the breach. The company was hacked from May until July, when it learned of the problem. The firm then took six weeks to notify the public.
With the data breach, foreign intelligence actors can more capably map out the population – connecting family members, places of employment and schools – and use that information to hack Israeli institutions.
“You have to think about personal data as a national security threat, that nation-states are buying up data to commit crimes and commit acts against their adversaries,” said Litan.
“Don’t think about it in terms of personal terms or financial loss.”
It may be easier now for a foreign intelligence agent to send a phishing email – one that contains malware and compromises that email account.
If an agent knows that someone works for an Israeli company and has a son named Yoni who goes to Balfour School, the agent can write an email saying Yoni has a parent-teacher conference at Balfour and invite the recipient to sign up by clicking on a link.
The link includes no parent- teacher conference for Yoni, but rather contains malware that can now access the server of the recipient’s employer.
That is why most intelligence agencies, such as the Mossad and CIA, bar employees from regular email and Internet browsing on agency computers.
But not every security-related company does that.
It is unclear how many American, British or Canadian dual citizens work in Israeli critical infrastructure, such as in the Israel Defense Forces, airports and nuclear power plants. If an Israeli company or government agency has employees from those countries whose data has been stolen, they are now vulnerable.
In that way, the Equifax data breach not only affects individuals – 95% of financial crimes already have to do with taking over existing accounts – it threatens Israel’s national security.
For customers, the data breach will inhibit Israeli banks from working with dual citizens.
“Let’s say Bank Leumi is doing business with you, an American.
Now they can’t really be sure you are really who you say are, based on your presenting information to the bank. When banks open new accounts, they typically ask for all your personal information – your SSN, your address – all the information that was stolen at Equifax,” Litan said.
Though more and more Israelis are now in credit debt, Israel has historically been a more debit-oriented society. That could insulate Israelis from hackers impersonating someone in order to gain access to their credit card. Customers in Israel who want a credit card must apply in person at a local bank. That requires much more vetting and security than it does in America, where customers can apply online for a credit card.
With two-step verification – which requires a log-in and submission of a code texted to a phone – it is now possible for hackers to take over the phones of Israeli dual citizens. Attackers can ask a phone carrier to forward calls to a new number.
The carrier will try to identify the user through personal information, such as name, address and date-of-birth. All of those personal details were disclosed in the Equifax data breach.
Similar types of identity theft occur less frequently in Israel than in the US. That is because many Israeli banks give startups access to their security software in order to experiment for free. In exchange, cutting-edge cybersecurity tools get tested on local banks.
“When you meet with Israeli government agencies or banks, they love trying out new technologies.
You don’t read about too many hacks. And usually the hackers are Israelis hacking the bank just to prove that they can do it,” Litan said.
That said, Israel has taken a number of precautions to defend itself digitally. In January, Equifax issued a report touting Israel’s expertise in the cybersecurity sector. “While many people believe that the home of cybersecurity is the US, Israel is working its way to becoming a world leader in the cybersecurity industry,” the Equifax statement, which was published before the data breach, said.
Most Israeli corporations tend to be more responsive than their American peers in downloading the latest security patches, a number of cybersecurity analysts told The Jerusalem Post. Part of that is due to Israel’s Computer Emergency Response Team, a civilian cyber-operations center that keeps companies in the loop regarding reported glitches and data breaches.
“When the CERT finds some vulnerability, they send distribution emails to all companies, to all the big companies in Israel and they tell them about this vulnerability and the need for a patch,” said Ami Tsarfati, a cybersecurity manager for the Israel Airports Authority.
The Israeli center prioritizes critical software patches, Tsarfati said, differentiating itself from international cybersecurity centers which contact companies over every new piece of computer code. CERT often sends two to three general information emails and one technical email daily, with the one technical notice including patches and concrete steps to take.
Tsarfati formerly worked at Teva Pharmaceuticals and Elbit Systems Ltd. He said those two Israeli companies are hyper-vigilant about cybersecurity and checking for software vulnerabilities.
“In Israel, there’s a lot of traditional knowing and learning about how to handle security incidents. These are clear procedures,” he said.
“There’s a lot of communication with management and with business. For example, if I see a breach or something that I suspect that it could deliver a breach, I must send it to my boss or management,” Tsarfati said. That contrasts with European and American executives who often do not consider cybersecurity a revenue-generating operation and thus downplay its importance.