The union of government employees demanded that the accountant general review the government's use of Shirbit's services. "We take the incident seriously and are following developments on the issue and the findings of the supervisory authorities," said the Finance Ministry, according to KAN. "Decisions will be made in accordance with the findings and subject to the law."
Shirbit reportedly has many government employees among its clients, including Gilad Noitel, president of the Tel Aviv District Court. MK and former Shin Bet head Avi Dichter was also a customer of the insurance company."I was happy to see that the Shirbit company, with which I have been insured for decades, acted responsibly and did not give up and pay ransom to criminals," said Dichter on Monday. "I trust the legal systems in Israel and around the world to get to those criminals and bring them to justice."
In light of the cyberattack, in which a number of ID cards were leaked, the National Cyber Directorate is calling for the government to stop using the date of issue for ID cards as identification for government services.
"The government is speaking here in two voices," said MK Einav Kabla, the chairwoman of the Knesset Science and Technology Committee. "In practice we identify with these problematic details that were leaked, while the National Cyber Directorate forbids [using them]."
The chief lawyer of the National Cyber Directorate, Amit Ashkenazi, told the committee that the directorate demands that no use be made of the date of issue of the ID card. "We have now issued guidelines on this as well, but the body that manages the risk is the Information and Communications Technology (ICT) Authority, and they manage this risk," said Ashkenazi.
Gideon Confino, director of the Cyber Risk Unit at the ICT Authority, stated that the state should either forbid photocopying IDs or have the date of issue transferred to the back of the card.
As of Sunday morning, the Black Shadow group behind the cyberattack against Shirbit last week leaked a third round of the company's data after Shirbit declined to pay the ransom demand by 9 a.m.
In addition, the group leaked messages from alleged persons interested in purchasing the stolen Shirbit data for their own purposes.
At least one of the messages was from an individual who claimed to want to turn over the data to Iranian government officials.
There was no way to confirm the identities or truth of the alleged purchasers and some of the messages had grammatical errors, which could signify messages forged by Black Shadow personnel who may not be native English speakers.
The exposed material included screenshots of WhatsApp conversations, ID cards, marriage certificates and financial and medical documents.
Despite the thousands of documents leaked by Black Shadow over the past few days, Shirbit continued to insist on Saturday that only a “relatively small” number of documents were leaked and that the decision not to pay the ransom was not from "financial considerations, but rather for the good of the customers," according to Israeli media.
Zohar Pinhasi, CEO of the ransomware removal and cyber security service MonsterCloud, told The Jerusalem Post that the claims that Black Shadow wants to strategically harm Israel and is not looking for money are “nonsense.”
"It’s important to clarify this: No government or security body will be able to stop it,” claimed Pinhasi.
“The Pandora’s box has opened and now the company is trying to downplay the severity of the hack and frame it as a matter of ‘national security’ to prevent damage to their reputation and come out as alright with the regulator and customers,” he said.
Pinhasi warned that “if the materials fall into the wrong hands, it will be possible to use them against the State of Israel. Now the attackers are threatening that if [Shirbit] does not pay the ransom, they will send the stolen materials to a kind of site designated for leaks, which they did.”
Despite stating that he believes a state actor is not behind the hack, the CEO added that he believes that the attackers are from Iran, but that this cannot be confirmed as of yet.
An official involved in the investigation told Channel 12 on Friday that it seems more likely that a state is behind the attack, not a private group, despite reports that at least one of the attackers may be from or in Israel.
The attack comes amid a spike in ransomware attacks against insurance companies, with dozens of insurance companies in the US reporting ransomware attacks in just the past week, according to MonsterCloud.
Yonah Jeremy Bob contributed to this report.