Comment: Who’s minding the store?

Another personal data leak is in the cards unless state undergoes a complete review of its approach to security.

teudat zeut israeli id (photo credit: Ariel Jerozolimski)
teudat zeut israeli id
(photo credit: Ariel Jerozolimski)
Israelis are rightly incensed by the recent announcement that a contract worker at the Ministry of Social Affairs and Social Services has copied all their personal details and made them freely available on the Internet.
According to media reports on the incident, the Justice Ministry has freely admitted that the significance of the exposure is large.
Biometric registry slammed in light of personal info theft
'Contract worker stole all Israelis' personal information'
On top of loss of privacy, the ministry has said that the breach includes economic and, most worryingly, physical security. There can be no higher impact of such an incident that puts at risk the physical security of over nine million Israelis – presumably including Israelis living overseas.
The thief’s intention was apparently to sell the information; the data, however, has somehow been exposed to anyone with Internet access.
This kind of security breach can be devastating.
Depending on the nature of the exposed personal data, it could be used for nightmare scenarios – from planning terrorist and assassination attacks, to blackmailing individuals, to committing acts of treason.
Criminals could also use the exposed information for extortion purposes.
Indeed, even a simple list of names, addresses and telephone numbers can provide the ability to burgle temporarily empty properties or commit financial scams.
So, how did this happen? A clue can be found in the fact that when Israel joined the Organization for Economic Cooperation and Development – an international agency that seeks to stimulate world trade – one of the criticisms it received in the OECD assessment was the deficiency of controls within Israeli organizations.
The Bank of Israel responded that these controls would be tightened up, but what the BoI didn’t say was that this would incur a huge effort and cost.
In the UK and US, government organizations and financial companies spend enormous budgets on their information security departments, precisely to mitigate the risk and subsequent effect of such an incident. One single exposure incident can bankrupt a bank.
Israel is usually adept at handling crises – but far from impressive in the planning department. The “Start-Up Nation” is extremely quick to implement initiatives, but tends to take risks and shortcuts.
When that involves a small entrepreneurial company, the worst that happens is that it folds. But when it happens to the custodian of information for nine million people, it’s a whole new ball game. Preventing information security incidents requires specialists with experience in the industry.
There must be an investigation into the security controls, or lack thereof, in government departments.
This is not the first security-exposure incident in recent times. The previous unauthorized release of classified IDF documents to a Haaretz reporter by Anat Kamm in 2008 may have been more “low-tech” than the current incident, but highlights the same casual attitude to security.
The key problems that can cause incidents like this are inappropriate use of contract staff, too much power given to individuals, insufficient supervision and inability to spot data leaving a secure area.
Israel has excellent security products that are designed to prevent data leakage. But security software isn’t a magic wand – government departments need a complete review of their approach to data security, otherwise a similar incident will almost certainly recur.
Michael Ordman is a Certified Information Systems Security Professional (CISSP)
He also writes a regular blog for The Jerusalem Post and a weekly newsletter containing Good News stories about Israel.