This Israeli Helped One of the World's Biggest Jewish Organizations - Now He’s in Trouble

The Joint had a dangerous data leak. An ultra-orthodox student discovered it and now finds himself in a bind with possible criminal implications

רן בר זיק - צרובה
Ran Bar-Zik
רן בר זיק - צרובה
Ran Bar-Zik

Leaks of information – so we have learned over the past several years – are not always the result of sophisticated attacks by genius hackers with cutting-edge technological know-how. Most times, such mishaps are the product of negligence or a lack of professional knowledge on the part of those designing a website, which is then exploited through the use of something as simple as Google. And that’s precisely what happened with the Israeli scholarship application website of the major international Jewish organization the American Joint Distribution Committee – which is commonly known as the Joint.

The Jerusalem offices of the American Joint Distribution Committee – which is commonly known as the Joint.Credit: Faruk

Granted, our names, ID numbers and addresses get leaked all the time. In Israel, they have been available to anyone who is interested due to the information leak last year via the Elector voter app and as a result of a huge number of bots on the Telegram messaging service. Anyone who wishes so, can enter a name and get the Israeli ID number and current address of any Israeli citizen. But there are also more sensitive documents that, if they fall into the wrong hands, could turn a person into a target of a real cyberattack extortion bid.

Copies of our bank statements, National Insurance Institute records and any documents relating to disability and chronic illness, for example, are just such documents because they contain extremely sensitive details that together can actually facilitate identity theft. All these, it turns out, have to be submitted by university students seeking a scholarship from the Joint – and they are now available via Google due to a careless oversight which allows one to search the web and find these documents.

In the best of cases, such leaks are discovered by individuals with good intentions, some of whom don’t even have technical backgrounds. Case in point: it was Shmuel Lenchner, an ultra-Orthodox student studying a course for cybersecurity practitioners at the Technion Israel Institute of Technology, who discovered the issue with the Joint data. After stumbling on the leak, Lenchner did the responsible thing and contacted the Israel National Cyber Directorate to report the problem. (In Israel, it’s also worth reporting such things to the Privacy Protection Authority).

The Cyber Authority contacted the Joint, which took the website down. Lenchner reported on the incident on his LinkedIn page and went on with his life.

A screen capture from Shmuel Lenchner showing what type of data was leaked from the Joint's website for scholarship applications Credit: Screen capture

That could have been the end of the story – a simple technical mishap at a negligent website that exposed information belonging to its users and that was remedied when discovered. But what happened after demonstrates the risks that those who are exposed to such cybersecurity mishaps assume.

After a few days, Lenchner’s cellphone rang. It was two high-ranking women from the Joint calling. They asked him a lot of technical questions - including if he had used a hacking tool (not Google) to gain access to the documents on the Joint’s website. They allegedly put him under heavy pressure to sign a statement committing that he had not saved the material that he had found in the “hack” and that he had also not passed it on to anyone else. (For its part, the Joint said that it was made clear to Lenchner that he could amend the statement if he wished so that he would be comfortable with the text).

Lenchner stressed out. He’s not an intel agent or experienced cyber researcher or journalist who might be used to being in such a situation: If he were to admit to using a tool that violates Google’s terms of use, he might run the risk of a criminal indictment.

The website for scholarship applications left data exposed through a simple 'hack' of GoogleCredit: Screen capture

Jonathan Klinger, a lawyer specializing in internet law, surmised that “the reason they want a statement is to cover themselves, so that if information was in fact leaked from another source, they might argue in their defense that Shmuel lied here, and they would place the blame on him for the hack.” Lenchner refused to sign.

Imagine what would have happened if it turned out that more malicious individuals had also discovered the leak and extorted scholarship applicants. It is also worth mentioning that in Lenchner’s case, the allegedly heavy-handed demand came from an organization that Lenchner had actually helped.

The Joint Distribution Committee had the following response for this article: “We attribute the utmost importance to the subject of privacy and information security. Minutes after spotting the issue, the website and access to the website were immediately taken offline until all the necessary examinations were performed to ensure that the site was restored to the internet without any malfunction. The issue was reported to the Privacy Protection Authority, and we are working subject to its directives and fully cooperating [with it].

“An outside company has been hired to check all of the logs created for the website and to examine the incident and its scope, and we will act in accordance with the Privacy Protection Authority’s examination and directives.

“With regard to Shmuel Lenchner, he was contacted by phone and asked to delete the material and not to make use of it. In addition, he was sent a draft of a statement that he would act accordingly. He was explicitly informed and in writing that he could amend the text to the extent that he found it proper so that he would feel comfortable with the statement, but since then, his response has not been received.”

Click the alert icon to follow topics:

Comments

SUBSCRIBERS JOIN THE CONVERSATION FASTER

Automatic approval of subscriber comments.

Subscribe today and save 40%

Already signed up? LOG IN

ICYMI

Yair Lapid.

Yair Lapid Is the Most Israeli of All

An El Al jet sits on the tarmac at John C. Munro International Airport in Hamilton, Thursday, in 2003.

El Al to Stop Flying to Toronto, Warsaw and Brussels

An anti-abortion protester holds a cross in front of the U.S. Supreme Court in Washington, D.C.

Roe v. Wade: The Supreme Court Leaves a Barely United States

A young Zeschke during down time, while serving with the Wehrmacht in Scandinavia.

How a Spanish Beach Town Became a Haven for Nazis

Ayelet Shaked.

What's Ayelet Shaked's Next Move?

A Palestinian flag is taken down from a building by Israeli authorities after being put up by an advocacy group that promotes coexistence between Palestinians and Israelis, in Ramat Gan, Israel earlier this month

Israel-Palestine Confederation: A Response to Eric Yoffie