Security Breach Revealed Personal Information of Israeli Toll Highway Users

Last year, Rotem discovered another breach in Highway 6’s systems, allowing attackers to obtain customer receipts by changing the URL on their browsers.

Israeli tollway Highway 6. Photo: Amit Sha'al

Highway 6 is operated by privately-held company Derech Eretz Highways Management Corporation Ltd. The license plates of all cars entering the highway—which spans around 170 kilometers, connecting the country’s northern Galilee region with the southern Negev desert—are scanned, and car owners receive a bill according to the car’s information as registered with the Israeli Ministry of Transportation. Derech Eretz manages its texting needs through Israel-based contractor CellAct Ltd.

Recently, one of Rotem and Adam’s scans identified unencrypted excel files that contained all the text messages sent by Derech Eretz to customers and employees between May 2018 and January 2019. According to Rotem, the files contained 2.9 million messages sent to 824,000 phone numbers.

Most of the texts were service messages to customers, with the most sensitive being those that associated license plates to certain users, as they also contained their full names. This type of information is supposed to be privileged, Rotem said in a recent interview with Calcalist. “Private investigators can use it to locate someone,” he said. “Criminals can head to the long-term parking lot at the airport to identify car owners that are on vacation, find their address elsewhere, and break into their house knowing no one is home,” he added.

Rotem said he even found a compromising message addressed to him within the files. “I am someone who is very careful about his privacy,” he said, explaining that he never gives out his personal information to companies that are not trustworthy and that he takes extra care to never appear on any list he does not have to be on. “That is why I was surprised and angry to find my personal information just lying there on an unsecured server where anyone with a web browser could get to it.”

Another type of text message Rotem found in the files was operational messages sent to Highway 6 employees, such as notification of a dead pig on the road or a car accident at a specific location. According to Rotem, the most valuable information here is the complete list of relevant employees’ phone numbers. Someone could start bombing them with reports, sending workers all over the country, diverting attention from a specific location where that person is planning to do something that could be dangerous or unlawful, he said.

Rotem also found messages alerting authorities of the whereabouts of certain individuals. This kind of breach could hamper police efforts as it could make a criminal aware that they are being monitored, he explained.

In response to Calcalist’s request for comment, a Derech Eretz spokesperson said the malfunction was caused by a third-party supplier hired by the company, and that it is currently under investigation. The company also said it was working relentlessly to prevent similar incidents from occurring in the future.

A CellAct spokesperson confirmed that a file containing text messages sent by Highway 6 during the period mentioned in the article was sent unencrypted to an external unsecured server. CellAct has performed a test and determined that only two entities were exposed to the file and that the company’s systems were not hacked, the spokesperson said. The company has further clarified to employees the proper procedure concerning the transmission of files, they added.