Shirbit hack shows cybercrime is a dangerous threat

This attack should serve as a wake-up call to all companies and government bodies that they must take cybersecurity seriously.

[Illustrative] A man holds a laptop computer as cyber code is projected on him. (photo credit: KACPER PEMPEL/REUTERS)
[Illustrative] A man holds a laptop computer as cyber code is projected on him.
There are still many questions regarding the cybersecurity data breach at the Shirbit insurance company last week. A group going by the name “Black Shadow” claimed responsibility for the hack and began exposing personal material when its ransom demands were not met.
Policy holders have been advised to renew their identity cards and driver licenses to try to prevent more damage of possible identity theft. Yesterday, Black Shadow reportedly threatened to sell some of the stolen data.
Such cyber heists are no longer rare and take place around the world. Indeed, the threats seem to be part and parcel of the cyber age. The attack comes amid a spike in ransomware attacks against insurance companies, with dozens in the US reporting ransomware attacks in just the past week, according to MonsterCloud. According to a blog on, the third quarter of this year the company’s research saw a 50% increase in the daily average of ransomware attacks, compared to the first half of the year.
There is no room for complacency. Cyberthreats to hospitals and national infrastructure can be lethal. Cyberattacks can be used as a form of warfare.
The Shirbit incident, also, should not be played down. It is easy to pretend that most individuals have nothing to hide, but few people would, for example, want their complete physical and mental health records released into the public domain, or the entire contents and value of their homes and possessions. This is in addition to the threat of identity theft that could take place in the future, using personal information.
Over the weekend, the hackers released a large collection of documents, including screenshots of WhatsApp conversations, ID cards, marriage certificates and financial documents. They had previously released photos of employees of the company and medical documents.
Shirbit claimed that the attack is aimed at embarrassing both the company and the entire Israeli economy and refused to pay the millions of dollars that Black Shadow was demanding in Bitcoin. Despite the company’s attempts to portray this as a national security attack, in this case, evidence so far seems to point more in the direction of criminal extortion: But it is still a developing situation, no one knows where this material will end up and how it will be used.
An insurance company, in particular, should be particularly sensitive to concerns over the private material it holds. It should ensure that the data it holds is as safe as can be against cyberthreats. The theft of personal details can be as devastating as traditional risks such as break-ins and car thefts. Everyone knows how they would feel if their credit card was stolen – either physically or by virtual identity theft – or if their phone with all their private messages and photos, as well as access to their financial accounts were stolen.
There should be no mistaken aura of glamour around cyber theft. Theft is theft – a violation of privacy, and stealing something that doesn’t belong to the perpetrator. It makes no difference if a burglar breaks into your home or a hacker breaks into your account. It is an intrusion and invasion of privacy.
Ransomware attacks such as the one on Shirbit raise serious dilemmas. For example, is paying the ransom a guarantee of halting the spread of the stolen material or will it just encourage similar attacks in the future? Could taking the moral stand and refusing to pay the ransom be the worst option for those whose details have been stolen? They are victims of a crime and more effort must be made to prevent additional victims. Ultimately, it was not Shirbit that was the victim but those whose details were not adequately protected.
This attack should serve as a wake-up call to all companies and government bodies that they must take cybersecurity seriously and introduce more preventive and educational measures to reduce future breaches.
When they are caught, the perpetrators must be treated as the serious criminals that they are and the state and private companies must make an extra effort to provide security for our data no less than they do for our physical well-being.