Leaks of information – so we have learned over the past several years – are not always the result of sophisticated attacks by genius hackers with cutting-edge technological know-how. Most times, such mishaps are the product of negligence or a lack of professional knowledge on the part of those designing a website, which is then exploited through the use of something as simple as Google. And that’s precisely what happened with the Israeli scholarship application website of the major international Jewish organization the American Joint Distribution Committee – which is commonly known as the Joint.
Granted, our names, ID numbers and addresses get leaked all the time. In Israel, they have been available to anyone who is interested due to the information leak last year via the Elector voter app and as a result of a huge number of bots on the Telegram messaging service. Anyone who wishes so, can enter a name and get the Israeli ID number and current address of any Israeli citizen. But there are also more sensitive documents that, if they fall into the wrong hands, could turn a person into a target of a real cyberattack extortion bid.
Copies of our bank statements, National Insurance Institute records and any documents relating to disability and chronic illness, for example, are just such documents because they contain extremely sensitive details that together can actually facilitate identity theft. All these, it turns out, have to be submitted by university students seeking a scholarship from the Joint – and they are now available via Google due to a careless oversight which allows one to search the web and find these documents.
In the best of cases, such leaks are discovered by individuals with good intentions, some of whom don’t even have technical backgrounds. Case in point: it was Shmuel Lenchner, an ultra-Orthodox student studying a course for cybersecurity practitioners at the Technion Israel Institute of Technology, who discovered the issue with the Joint data. After stumbling on the leak, Lenchner did the responsible thing and contacted the Israel National Cyber Directorate to report the problem. (In Israel, it’s also worth reporting such things to the Privacy Protection Authority).
The Cyber Authority contacted the Joint, which took the website down. Lenchner reported on the incident on his LinkedIn page and went on with his life.
That could have been the end of the story – a simple technical mishap at a negligent website that exposed information belonging to its users and that was remedied when discovered. But what happened after demonstrates the risks that those who are exposed to such cybersecurity mishaps assume.
After a few days, Lenchner’s cellphone rang. It was two high-ranking women from the Joint calling. They asked him a lot of technical questions - including if he had used a hacking tool (not Google) to gain access to the documents on the Joint’s website. They allegedly put him under heavy pressure to sign a statement committing that he had not saved the material that he had found in the “hack” and that he had also not passed it on to anyone else. (For its part, the Joint said that it was made clear to Lenchner that he could amend the statement if he wished so that he would be comfortable with the text).
- Iran Hackers Claim They’ve Hit the Bank of Israel - but ‘No Proof,’ Cyber Authority
- 'Great Alarm': First Detected Use of Mysterious Israeli Spyware on EU National
- Exposed Hamas Espionage Campaign Shows 'New Levels of Sophistication'
Jonathan Klinger, a lawyer specializing in internet law, surmised that “the reason they want a statement is to cover themselves, so that if information was in fact leaked from another source, they might argue in their defense that Shmuel lied here, and they would place the blame on him for the hack.” Lenchner refused to sign.
Imagine what would have happened if it turned out that more malicious individuals had also discovered the leak and extorted scholarship applicants. It is also worth mentioning that in Lenchner’s case, the allegedly heavy-handed demand came from an organization that Lenchner had actually helped.
The Joint Distribution Committee had the following response for this article: “We attribute the utmost importance to the subject of privacy and information security. Minutes after spotting the issue, the website and access to the website were immediately taken offline until all the necessary examinations were performed to ensure that the site was restored to the internet without any malfunction. The issue was reported to the Privacy Protection Authority, and we are working subject to its directives and fully cooperating [with it].
“An outside company has been hired to check all of the logs created for the website and to examine the incident and its scope, and we will act in accordance with the Privacy Protection Authority’s examination and directives.
“With regard to Shmuel Lenchner, he was contacted by phone and asked to delete the material and not to make use of it. In addition, he was sent a draft of a statement that he would act accordingly. He was explicitly informed and in writing that he could amend the text to the extent that he found it proper so that he would feel comfortable with the statement, but since then, his response has not been received.”