This Israeli Helped One of the World's Biggest Jewish Organizations - Now He’s in Trouble

The Joint had a dangerous data leak. An ultra-orthodox student discovered it and now finds himself in a bind with possible criminal implications

רן בר זיק - צרובה
Ran Bar-Zik
רן בר זיק - צרובה
Ran Bar-Zik

Leaks of information – so we have learned over the past several years – are not always the result of sophisticated attacks by genius hackers with cutting-edge technological know-how. Most times, such mishaps are the product of negligence or a lack of professional knowledge on the part of those designing a website, which is then exploited through the use of something as simple as Google. And that’s precisely what happened with the Israeli scholarship application website of the major international Jewish organization the American Joint Distribution Committee – which is commonly known as the Joint.

The Jerusalem offices of the American Joint Distribution Committee – which is commonly known as the Joint.Credit: Faruk

Granted, our names, ID numbers and addresses get leaked all the time. In Israel, they have been available to anyone who is interested due to the information leak last year via the Elector voter app and as a result of a huge number of bots on the Telegram messaging service. Anyone who wishes so, can enter a name and get the Israeli ID number and current address of any Israeli citizen. But there are also more sensitive documents that, if they fall into the wrong hands, could turn a person into a target of a real cyberattack extortion bid.

Copies of our bank statements, National Insurance Institute records and any documents relating to disability and chronic illness, for example, are just such documents because they contain extremely sensitive details that together can actually facilitate identity theft. All these, it turns out, have to be submitted by university students seeking a scholarship from the Joint – and they are now available via Google due to a careless oversight which allows one to search the web and find these documents.

In the best of cases, such leaks are discovered by individuals with good intentions, some of whom don’t even have technical backgrounds. Case in point: it was Shmuel Lenchner, an ultra-Orthodox student studying a course for cybersecurity practitioners at the Technion Israel Institute of Technology, who discovered the issue with the Joint data. After stumbling on the leak, Lenchner did the responsible thing and contacted the Israel National Cyber Directorate to report the problem. (In Israel, it’s also worth reporting such things to the Privacy Protection Authority).

The Cyber Authority contacted the Joint, which took the website down. Lenchner reported on the incident on his LinkedIn page and went on with his life.

A screen capture from Shmuel Lenchner showing what type of data was leaked from the Joint's website for scholarship applications Credit: Screen capture

That could have been the end of the story – a simple technical mishap at a negligent website that exposed information belonging to its users and that was remedied when discovered. But what happened after demonstrates the risks that those who are exposed to such cybersecurity mishaps assume.

After a few days, Lenchner’s cellphone rang. It was two high-ranking women from the Joint calling. They asked him a lot of technical questions - including if he had used a hacking tool (not Google) to gain access to the documents on the Joint’s website. They allegedly put him under heavy pressure to sign a statement committing that he had not saved the material that he had found in the “hack” and that he had also not passed it on to anyone else. (For its part, the Joint said that it was made clear to Lenchner that he could amend the statement if he wished so that he would be comfortable with the text).

Lenchner stressed out. He’s not an intel agent or experienced cyber researcher or journalist who might be used to being in such a situation: If he were to admit to using a tool that violates Google’s terms of use, he might run the risk of a criminal indictment.

The website for scholarship applications left data exposed through a simple 'hack' of GoogleCredit: Screen capture

Jonathan Klinger, a lawyer specializing in internet law, surmised that “the reason they want a statement is to cover themselves, so that if information was in fact leaked from another source, they might argue in their defense that Shmuel lied here, and they would place the blame on him for the hack.” Lenchner refused to sign.

Imagine what would have happened if it turned out that more malicious individuals had also discovered the leak and extorted scholarship applicants. It is also worth mentioning that in Lenchner’s case, the allegedly heavy-handed demand came from an organization that Lenchner had actually helped.

The Joint Distribution Committee had the following response for this article: “We attribute the utmost importance to the subject of privacy and information security. Minutes after spotting the issue, the website and access to the website were immediately taken offline until all the necessary examinations were performed to ensure that the site was restored to the internet without any malfunction. The issue was reported to the Privacy Protection Authority, and we are working subject to its directives and fully cooperating [with it].

“An outside company has been hired to check all of the logs created for the website and to examine the incident and its scope, and we will act in accordance with the Privacy Protection Authority’s examination and directives.

“With regard to Shmuel Lenchner, he was contacted by phone and asked to delete the material and not to make use of it. In addition, he was sent a draft of a statement that he would act accordingly. He was explicitly informed and in writing that he could amend the text to the extent that he found it proper so that he would feel comfortable with the statement, but since then, his response has not been received.”

Click the alert icon to follow topics:

Comments

SUBSCRIBERS JOIN THE CONVERSATION FASTER

Automatic approval of subscriber comments.

$1 for the first month

Already signed up? LOG IN

Touro Synagogue, Newport, Rhode Island

Inside the Fierce Battle Over America's Oldest Synagogue

Protesters demonstrating in front of the consulate general of Israel in New York last year.

Huge Gap Between Young, Old Americans' View on Israel-Palestine

Rep. Henry Cuellar attends a campaign event on Wednesday, in San Antonio, Texas.

AIPAC-backed Dem Declares Victory Against Progressive Challenger in Texas Runoff

Iranian President Ebrahim Raisi and Atomic Energy Organization of Iran chief Mohammad Eslami at an event for Nuclear Technology Day in Tehran, last month.

Prospects for Reviving Iran Nuclear Deal 'Tenuous' at Best, U.S. Envoy Says

A family grieves outside the SSGT Willie de Leon Civic Center following the mass shooting at Robb Elementary School in Uvalde, Texas on Wednesday.

Israeli PM Offers Condolences After Texas Gunman Kills 21 at Elementary School

U.S. President Joe Biden, this week.

Biden Decides to Keep Iran's Revolutionary Guards on Terror List, Says Report