Population database hacked in 2006 reached the Internet
Full names, identity numbers, addresses, dates of birth and death, immigration dates and familial links between citizens, are all freely available online.
Israel's Population Registry database, containing substantial information about more than nine million Israelis, both alive and dead, was stolen several years ago and eventually uploaded to the Internet, where it could have been accessed by anyone.
A gag order was removed Monday on the investigation being conducted by the Justice Ministry's Law, Technology and Information Authority, which revealed the 2006 hacking of the registry and traced the path of the database as it changed hands, until it was discovered to have been distributed on the Internet at no charge.
Details that could be accessed from the distributed database included full names, identity numbers, addresses, dates of birth and death, immigration dates and familial links between citizens. Officials believe the database was used by private people, businesses and possibly by hostile elements.
According to investigators, a contract worker at the Labor and Social Affairs Ministry, Shalom Bilik, allegedly stole the database, to which he had access in the course of his work. He passed a copy of the Population Registry to one of his clients, and from there it went from hand to hand. Eventually, a software program called Agron 2006 was developed based on the stolen data. Agron allowed a user to generate a wide variety of population profiles by setting different parameters, and to trace familial relationships among the entire Israeli population.
Copies of Agron were apparently making the rounds in the Haredi community when the software fell into the hands of a Jerusalem computer technician, Meir Leiver, who allegedly uploaded it to the Internet so that anyone in the world could access the information. Leiver allegedly developed an Internet site on which he explained how to download the Agron software and how to use it.
The information contained in the Agron software could make it very easy to commit forgery, fraud and particularly identity theft, since the program supplied all the information needed to create seemingly authentic documentation, officials said. It could also lead to election fraud, as the information would make it easier for anyone to vote pretending he was someone else. The leak could also have security implications, since the database could enable anyone to acquire information about people whose public identities are kept confidential for security reasons. Revealing their home address, or information about their spouse and children, could put them and their families at risk.
The information authority said on Monday that Leiver allegedly used sophisticated methods to cover his electronic tracks and prevent the disclosure of his true identity. Leiver's attorney Yair Golan said that his client denies all the allegations against him.
After several alerts over the years that indicated the database might have been compromised, The Justice Ministry's information authority began a covert investigation in 2009, which focused on mapping out the potential leaks, analyzing the technology of the Agron software, and eventually making contact with involved parties, based on intelligence tips. Eventually the homes of several suspects were raided, and computer equipment and documents were confiscated. The second part of the case, tracking down who was distributing the database on the Internet, was finally solved by zeroing in on Leiver and monitoring his Internet traffic, in cooperation with officials abroad, particularly in the United States.
During the investigation it was discovered that other databases, including the country's adoption registry, had also been stolen. "This should cause every database administrator and every citizen to lose sleep," said Yoram Hacohen, the head of the information authority. "What we've learned from this case must influence the way all information systems are developed."
The information authority believes it has enough evidence to prosecute the suspects for violations of the Protection of Privacy Law and other offenses, including obstruction of justice and theft by a public employee.