Where’s the Phone? A Stupid Mistake Provides a Tough Lesson in WhatsApp

A leading Israeli credit card service used a single smartphone to communicate with clients. The phone had all their details on it. Then someone stole it

Send in e-mailSend in e-mail
Send in e-mailSend in e-mail
Isracard broke privacy rules by using a single phone to communicate with its clients via WhatsApp. Once the phone was stolen, the company lost access to the data.
Isracard broke privacy rules by using a single phone to communicate with its clients via WhatsApp. Once the phone was stolen, the company lost access to the data.Credit: Martin Meissner/AP

A careless error and a case of petty theft at an Israel Israeli credit card company provides a rich lesson on privacy and security in the digital age. 

Israel’s Privacy Protection Authority has ruled that the Isracard credit card company violated privacy protection regulations. The reason: The firm failed to sufficiently protect its customer’s private documents after an incident in which an employee stole a cellphone that the credit card company was using to receive sensitive information from its clients. 

The authority has released a report on its findings from the lengthy oversight process that it conducted at the credit company, which was initiated after Isracard disclosed the incident to the authority, as it was required to do by law. At the same time, Isracard opened its own internal investigation into the case. 

According to the information released by the authority, Isracard had designated only a single cellphone as the company’s customer service number and asked customers to send documents that they were required to transmit to the credit card firm to that phone via an instant messaging service. 

“The findings from the Privacy Protection Authority’s oversight [process] revealed that the cellphone served as a kind of ‘WhatsApp call center’ to which customers would send documents and various kinds of information,” the report said, referring to Facebook’s WhatsApp messaging service.

The arrangement meant that valuable and sensitive information ended up on the cellphone, the authority said, “including hundreds of documents that were sent to the company by its customers – among them names, telephone numbers, ID numbers, bank transfer confirmations, authorizations to debit accounts, death certificates and other sensitive details.”

The employee who stole the cellphone was apparently only interested in the device itself and didn’t intend to make use of the information contained on it. He may not have entirely understood the trove of information that it contained and that they could have sold or used to extort customers of the major credit card firm or to impersonate them. 

“In the course of the oversight process, it was found that an internal investigation conducted by Isracard revealed that a company employee had taken possession of the cellphone at the end of a work day, removed its SIM card [containing the phone’s basic identification information and other data], formatted it, associated it with his personal Gmail account and installed his own personal SIM,” the privacy authority’s reported stated. 

In response to this article, Isracard said: “As indicated from the authority’s statement, this is an information security incident that has been dealt with and reported by Isracard. The incident itself occurred more than a year ago, in June 2020. 

“The lessons drawn from the incident were immediately applied around the time of the incident by the company. It should be noted that the company’s customers’ details were not affected and that no information leaked out. We will continue to check ourselves, to report and to correct deficiencies with full transparency if the need arises as part of our commitment to our customers as Israel’s leading credit card company.” 

By reformatting the phone and replacing the SIM card, the Isracard employee spared the company much more serious trouble, but the incident revealed a large number of deficiencies in the credit card firm’s data protection system. 

“At the time of the incident, Isracard had permitted access to the cellphone without requiring the accepted measures under such circumstances to ensure that access to the database and its systems would only be given to those with permission to access the information,” the privacy authority said. 

“In addition, the company didn’t exercise care so that physical access to the [cellphone] would only be available to people in relevant positions. It didn’t ensure that use of the device would only be available to those with valid permission and didn’t set up a means of identification such as a password or fingerprint,” the authority found. 

The investigation did not uncover evidence that any of the personal data was actually leaked outside the firm, and the privacy protection agency did not receive any complaints regarding any such leaks, the agency added. In light of the findings, the Privacy Protection Authority ruled that Isracard had violated privacy protection regulations, a determination that could potentially expose the firm to class action litigation on behalf of Isracard’s customers. 

In many cases, the privacy protection agency prefers to rule that a violation has been committed without fining the company over its conduct, which in practice leaves any further action to lawyers in the private sector to pursue.