One of the most frustrating aspects of the latest round of sensitive data leaks, experts say, is that the hacking could have been prevented.
By Lauren Marcus, World Israel News
The latest cyber attacks on Israeli companies and subsequent data leaks are just the tip of the iceberg, and the Jewish State should treat the latest incidents as an act of cyberwarfare and respond accordingly, Israeli cyber experts say.
Iranian-backed hacking group Black Shadow announced that it had compromised Israeli firm CyberServe, which hosts websites and provides data storage systems for a number of Israeli organizations, including the Dan bus company, public broadcaster Kan, Pegasus Tours and the Holon Children’s Museum.
After CyberServe and Atraf refused to pay a ransom to keep the data private, the group released the names, phone numbers, emails, private photos and videos, and even the HIV status of users of the app.
The Mor medical institute was also hacked by Black Shadow, and patients’ names, national identity numbers, requests for lab tests and, in some cases, sensitive medical data and test results, were published on Wednesday.
Black Shadow is selling the credit card details of tens of thousands of Israelis, whose data was pulled from the various hacked sites.
One of the most frustrating aspects of the latest round of leaks, experts say, is that the hacking could have been prevented, had CyberServe followed industry-standard best practices for protecting user data.
“The current breach is a result of CyberServe ignoring warnings from professionals such as the national cyber system and even Netvision staff who host the company’s servers at its facilities,” a cyber analyst wrote in Calcalist.
Oded Vanunu, head of Product Vulnerability Research at Check Point, said that “the full leak from the Atraf website should be a warning sign on the national level and [for] the companies storing personal information on the Internet.”
“The personal details of Israeli citizens are repeatedly being leaked following cyberattacks that could easily have been prevented,” he told Israel Hayom.
“We should assume the information will be used for very precise phishing attacks by additional hacker groups around the world,” he said.
Tomer Elias, Product Management Director at security firm BigID, said that companies who violate internet privacy laws, improperly store data,and fail to implement sufficient security systems can face fines reaching up to 20 million euro [$23 million].
“In Israel, the fines reach a maximum amount of 29,200 shekels [$9,360],” Elias told Israel Hayom.
“This means that if our information is hacked or leaked from a certain company, or the company is not willing to give us the information that belongs to us, or refuses to delete us from its database – this is the maximum fine they can get.”
Because Israeli companies face minimal consequences for failing to take basic steps to protect their customers’ data, we can expect to see these types of attacks happening again in the future, Elias said.
In October, hackers brought down the internal systems of Hillel Yaffe medical center, forcing staff to revert to analog paper-and-pencil recording of everything from patient intake forms to medication allotment.
A significant amount of patient data was believed to have been permanently deleted after the hack.