Could third-party breaches threaten Israel’s new credit data sharing system?

Israel’s first-ever system for sharing credit data, featuring the establishment of a central credit register, was officially launched by the Bank of Israel last week.

IDRRA CEO Kobi Freedman (photo credit: Courtesy)
IDRRA CEO Kobi Freedman
(photo credit: Courtesy)
Israel’s first-ever system for sharing credit data, featuring the establishment of a central credit register, was officially launched by the Bank of Israel last week.
Until then, credit data for borrowers was always retained by the lending institution alone, usually the customer’s bank.
Now seeking to increase competition in the retail credit market, the Bank of Israel will collect data from credit providers and government authorities and will transfer them – only if the customer consents – through credit bureaus to credit providers authorized to use the data (lenders) and to customers (borrowers) themselves.
Only companies holding a license from the Bank of Israel will be able to access data and provide potential borrowers with a credit rating. Currently, Dun & Bradstreet, BDI and Trendline Information and Communication Services (Kav Manche) are the sole providers possessing the necessary permit.
While the Bank of Israel’s database containing sensitive financial information is likely to be highly secure, questions have been raised regarding vulnerabilities caused by less stringent third-party providers that may gain access to the data at a later stage.
“What we see in the world is situations where third parties are interconnecting with a more secure place and becoming very quickly the weak spot and attracting the threats from hackers,” Kobi Freedman, CEO of cybersecurity platform IDRRA, told The Jerusalem Post.
“Think of it as a sort of door or window into your home, where the locks are weaker. Normally, what happens is that hackers, like thieves, focus their efforts on the place where the cost-effectiveness of the attack is more profitable.”
Warning of a recent shift in the world of cyber crime, Freedman states that hackers increasingly seek to penetrate smaller, weaker companies within a supply chain to access companies higher up the chain, and thereby gain access to personally identifying information.
“Hackers are very interested in two things: One is the ability to massively gather data and then resell it; and while the cost per record might be quite low, the amount of records makes it very interesting financially,” said Freedman.
“The other kind of goal is to specifically target individuals for different reasons, where the cost per record might be very high because the target may be very profitable.”
While the three data aggregators currently licensed by the Bank of Israel are high profile organizations and assured to be relatively secure, Freedman states that there must be a strict policy regarding the necessary security and risk level of any future third party seeking to access the database.
“Everyone who wants to develop a service on top of this bureau will need to be inspected regarding their data protection and privacy aspects of their infrastructure and policies. Gap analysis should be generated for every one of them,” said Freedman.
IDRRA, selected by leading research and advisory firm Gartner as a “Cool Vendor” last year, has developed an artificial intelligence-powered platform for automating security, data protection and privacy-related risk analysis for third parties.
“If you’re exposed to sensitive data, you need to meet the highest standards. There should be a strict process that says if I am seeking financial information, I must meet a list of security and privacy requirements. If I’m not meeting them, I will never get access to this service,” said Freedman.
“I think the Israeli government is aware of this risk, and proper measures will be taken. There is an initiative to certify and monitor third-party risk on both the commercial and national level. If this sort of strict process is in place, then the level of risk will be far below the positive results that we’re expecting from this centralized credit service.”
In order to ensure privacy, the Credit Data Law enables customers to independently access, once a year without charge, all information gathered on him or her, and to transfer it to entities that will provide the customer with advice regarding his or her credit-related financial management.
Customers may also limit the transfer of all or some credit data to credit providers of their choice or all institutions, and also request the deletion of all data on the register.