Eight former Bank Leumi employees, including one extradited from Thailand, are being held for threatening to sell information about two million of the bank’s credit card accounts unless they were paid a ransom.
In what appears to be one of the biggest cases of cyber extortion ever in Israel, seven suspects were arrested over the weekend and ordered remanded until Thursday. The eighth, who investigators said was the ringleader, landed in Ben-Gurion Airport on Sunday under police escort to face charges.
The police’s Lahav 433 cyber unit said the eight had obtained the identity numbers and three-digit security code that appear on the back of credit cards for some two million holders of the bank’s Leumi Card. That would have been enough information for anyone with the data to make telephone and online purchases, but Leumi Card CEO Haggai Heller said none of the accounts had been compromised.
“Since the start of the affair all credit card transactions have been monitored and non out-of-the-ordinary movements have been detected,” Leumi Card said in statement over the weekend.
Investigators were first alerted to the alleged crimes when a former employee of Leumi Card, a subsidiary of the bank, sent an email the bank two weeks ago, police said. The email alleged that he had copied sensitive data while employed by the bank and would sell the information to the highest bidder.
The alleged extortionist, who was fired a year ago and was living in Thailand while he allegedly masterminded the scheme, demanded “millions of shekels” from Israel’s second largest bank to keep the data secret, police said.
Police said the Lahav 433 cyber crime unit launched an investigation after being contacted by the bank. They said Thai authorities rescinded his permit to be in the country and impounded his computer and other equipment in cooperation with Israeli investigators sent to Bangkok.
Although the breach of security is not the first for Israel’s credit card companies – the others were done by penetrating databases through retailers linked to their network rather than from inside the card issuers themselves.
Police named five of the suspects – Ziv Darin, Avraham David, Assaf Mor, Elad Abulafia and Moti Shilon – but as of Sunday had not named the rest, including the alleged ringleader extradited from Thailand. Meanwhile, Leumi Card said it was tightening internal security by barring service representatives from accessing data on card holders.
However, industry sources said that Leumi Card, as well as Israel’s other big issuers of credit cards, CAL and Isracard, were using out-of-date security software rather than Payment Card Industry Data Security Standard, or PCI, the international standard used by Visa, Mastercard and other big issuers.
PCI, which was developed in 2004, comprises sets of policies and procedures intended to optimize the security of credit, debit and cash card transactions and protect cardholders against misuse of their personal information.
Israel’s three credit card issuers have been working to update their standards for the past five years, but are about two years away from completing the work, industry sources said.
“PCI would have been able to minimize access to the Leumi Card database. The standard wouldn’t have reduced [the threat] to zero, but it would have made it much harder to take information from the company,” said one industry source, who asked not be named.