In what could be one of the biggest cases of cyber extortion in Israel, eight former Bank Leumi employees threatened to sell information about two million of the bank’s credit card accounts unless they were paid a ransom.
Seven of the suspects were arrested over the weekend, and the eighth, the suspected ringleader extradited from Thailand, landed in Ben Gurion airport on Sunday and will face charges with his fellow conspirators.
The eight had obtained the identity numbers and three-digit security code that appear on the back of credit cards for two million holders of the bank’s Leumi Card. While the suspects could have made online or telephone purchases with this information, Leumi Card said that no accounts had been compromised.
Instead, a former Leumi Card employee, fired a year ago and living in Thailand, sent an email to Bank Leumi threatening to sell sensitive cardholder data he had copied to the highest bidder unless he was paid “millions of shekels”.
After an Israeli cyber-crime unit launched an investigation, Thai authorities compounded his equipment in line with Israeli investigators and rescinded his permit to be in the country.
The breach of security is not the first for Israel’s credit card companies, other were committed by penetrating databases linked to the card issuer’s network.
Leumi Card said it was tightening internal security by barring service representatives from accessing data on card holders.
However, industry sources told the Israeli paper Haaretz that Leumi Card, as well as Israel’s other big issuers of credit cards, CAL and Isracard, were using out-of-date security software rather than Payment Card Industry Data Security Standard, or PCI, the international standard used by Visa, Mastercard and other big issuers.
Israel’s three credit card issuers have been working to update their standards for the past five years, but are about two years away from completing the work, the industry sources said.
Despite the data protection regulation being implemented in 2018, 69% of IT decision makers don’t have the backing of their board to achieve GDPR compliance, according to Calligo.
The majority of the region’s 28 member states report that the situation has worsened over the past year, reports business management consultant Verisk Maplecroft.
Regulators in the UK, the US and Hong Kong instituted proceedings against more than 1,700 individuals last year, or four times the number of cases brought against companies.
The US Commodity Futures Trading Commission approved LedgerX as the first regulated clearing house for derivatives contracts settling in digital currencies.