Leumi Card, one of Israel’s largest credit card providers, was the victim of a recent extortion attempt by seven former employees, who threatened to release the private information of nearly 2,000,000 credit card holders to the internet if their financials demands were not met. The company approached the police 2 weeks ago and, after receiving a threatening email by a former employee who’s been fired from the company a year earlier, stating that he had collected private costumer information during the time of his employment and demanded millions of dollars in exchange for suppressing the sensitive details, or else he would sell the secret information to the highest bidder on the Darknet.
The Israeli police’s Cyber unit worked in cooperation with Thailand police (where the suspect was staying at the time) and with bank officials to apprehend the suspect and his associates. While details of the case are still sketchy, it appears that several of the suspect hacked a main computer at while working at the company and copied sensitive files which they managed to extract and hide. Once the company was made aware of the breach they made the necessary precautions to trace it and altered their transaction approval procedures to prevent large unauthorized transactions, claiming that no monetary damage was done.
While this case is unique in its magnitude (at least in term of the Israeli cybercrime scene), it has all the “regular” ingredient of data breaches we’ve experienced in the past years- internal perpetrators, most likely with privileged access rights, not enough control measures leading to a potential loss of revenue and reputation. Several points which can be learnt from this incident:
The insider threat is still extremely difficult to mitigate
While the company has invested heavily in its cyber defense, including cutting edge technology and skilled personnel, it was still breached from the inside, showing again just how vulnerable companies are to internal threats. An insider will always have the upper hand so mitigating it requires more than technological means
Technology alone is never enough
While investing in technology is a necessity, it is however, not sufficient without the proper procedures and controls. Such procedures should include more stringent recruitment background checks, segregation of duties and allocating appropriate access rights according to role and paying close attention to employees who are about to depart the organization (especially if they have access to sensitive data).
Proactively disclosing incident can prevent damage to reputation
I think the company’s public behavior was exemplary during this incident- approaching the police right away, taking the necessary internal step to contain the threat and voluntarily disclosing the details of the incident to the media. Put together, these steps show to the public that the company takes the security of the personal details seriously and does not shy from admitting mistakes when these occur.
It remains to be seen if these 3 lessons will be learnt be other organization before the next, inevitable breach.