Eight arrested in Israel and Thailand for Leumi Card data breach

Former employees demanded millions, threatened to leak credit card info

Credit card
Eight former bank employees, in Israel and Thailand, tried to extort millions of shekels from Leumi Card Ltd., the credit card issuer affiliated with one of the nation’s largest banks, police said on Sunday.
The ex-employees threatened that if they didn’t get the money, they’d sell the details of millions of credit cards of bank customers to the highest bidder, police said.
The case went public on Sunday, a day after officers from the Israel Police Cyber Crimes Unit arrested seven former Leumi Card employees in Israel, and Thai and Israeli police arrested the ringleader, at his residence in Thailand.
The investigation began two weeks ago, police said, after Eliran Rosnis, the former employee living in Thailand, contacted Leumi management saying that he would sell the credit card information to the highest bidder if he was not paid millions of shekels, police said. The suspect, a former employee of the bank, had been living in Thailand for the better part of a year after the company fired him.
Investigators said the suspect contacted Bank Leumi by using the “Dark Net,” the online network popular for illegal activities, where IP addresses aren’t shared.
Police said he told the bank that before leaving the company he copied the details of customers and was ready to sell them if his demands were not met. They said that none of the customer details were revealed before the ring was arrested. Though the stolen information included names, card numbers and government- issued ID card numbers, it did not include the security codes located on the back of the cards or data on magnetic strips, which could be used to recreate the cards.
Five of the suspects were in court on Saturday night.
They were named as Ziv Derin, Avraham David, Asaf Mor, Elad Aboulafia, and Moti Alon. Their remands were extended until Thursday.
The accused ringleader of the extortion attempt arrived in Israel on Sunday morning from Thailand, and will be brought for a remand extension on Sunday afternoon.
“It is important for me to emphasize that there is no suspicion of damage of any kind to our customers,” Leumi Card CEO Hagai Heller said, adding that the company was treating the breach with the utmost level of seriousness and would draw conclusions when the police investigation closed.
The bank has not undertaken new hiring or screening procedures for its employees.
Data breaches from major companies in recent months have shown the growing challenge of cyber security. Last December, US retailer Target announced that data on its customers had been compromised, affecting up to 70 million people. In September, Home Depot, also in the US, revealed a similar breach of its payment data system.
Unlike those examples, Leumi’s breach occurred from within the organization, accentuating the challenge of preventing internal data theft. That problem, too, made headlines in recent years, when National Security Agency contractor Edward Snowden ran off with secret files, and US Army soldier Bradley Manning turned classified information over to WikiLeaks.