Shirbit hack serves as a wakeup call to every financial company
What's next for Shirbit and the insurance sector after company refuses to pay ransom and hackers vow to sell client data
The biggest nightmare of the financial sector was realized last week when it was revealed that hackers had broken into the servers of Israeli insurance company Shirbit and stole data on the company's clients. The hackers opened a telegram group in which they shared some of the information in their possession. Initially, they posted photos of ID cards and licenses and later also published more sensitive information. The hackers gave Shirbit a deadline to pay approximately one million dollars in Bitcoin until Friday morning, with the ransom rising every 24 hours thereafter. Two more deadlines have since gone by and each time the hackers released more info on customers. The hackers threatened that they would begin selling the stolen data following the third deadline which passed at 9:00am Israel time on Sunday morning.
The hackers tried to convince Shirbit to pay until the last moment, with the price rising to 200 Bitcoin (approximately $3.8 million) following the passing of the first two deadlines. At exactly 9:00am the hackers posted a message stating that had Shirbit paid them the 50 Bitcoin they had originally asked for they would have kept their word. A few hours earlier the hackers published on their Telegram group messages they claimed were sent by people interested in acquiring the information. Among those messages was one stating that: "I want to give this information to the security agency to get points from them. If you help me, you have done a great favor to me and the people of Iran, as well as the people of the world."
Other insurance companies in Israel tightened procedures following the hack and some barred their employees from logging in to systems remotely at night or over the weekend in order to minimize the potential exposure to hackers. In addition, the Israeli Parliament's Financial Stability Committee, which includes financial regulators, will convene this week. The meeting was scheduled prior to the Shirbit hack, but the security breach and its consequences are set to be discussed, including the question of whether regulations need to be put in place regarding the way in which companies negotiate and pay hackers.
"There is no doubt that this is a disturbing and stressful incident," said one financial sector senior executive. A tech expert estimated that: “it seems from the details that have been leaked that the breach was only in a server that had files and photos and not information like credit card details which would have allowed the hackers to steal money. As of now, the damage from publishing this information is an invasion of privacy and the potential of stealing identities." In addition, there are those who are wondering whether Shirbit only really found out about the hack on November 30th, as usually there are signs of a breach occurring, especially if the hacker remains logged in for an extended period of time. That raises the question of whether the company actually reported the incident to the authorities on time.
Shirbit told Calcalist in response that "as of now the cyber incident has effected 300 of the company's clients, with the exposure in most cases not related to the financial aspect and with no credit card details being revealed." Nevertheless, the fact that some personal and sensitive information has been leaked, including medical records, may well make it just as serious as if money had been stolen.
2. To pay or not to pay
Shirbit announced that it doesn't intend to accept the ransom demands, a decision it reached after consulting with professional organizations it has hired to deal with the incident. Shirbit CEO Zvi Leibushor added that "the company will not give in to this type of terror and will act within its means to defend the company's clients and information."
There were those who were surprised by Shirbit's decision and claimed that the company would have been better off paying the ransom and getting the incident done with as soon as possible. However, the fact that the National Cyber Directorate is managing the crisis and dictating the decisions is estimated to be having an effect on the ultimate outcome. Sources in the financial sector estimated that the decision not to pay is probably due to an understanding that the information that was stolen is not of significant risk at a national level and doesn't justify capitulating to hackers, or that law enforcement is closing in on the hackers or on neutralizing them and the preference at this time is to buy as much time as possible in order to locate them. Another reason behind not paying the ransom is the fear that the hackers are from organizations that are hostile to Israel.
Assaf Harel, a partner at Gornitzky & Co. who leads the firm's Cybersecurity, Data Protection and Privacy practice, said: "if there is an assessment that the attackers are the citizens of an enemy state like Iran or acting on its behalf, that means that paying them could be a criminal offense as it is forbidden by law to transfer funds to an enemy of the state."
3. The Capital Market, Insurance and Savings Authority found 24 weaknesses
Shirbit is an insurance company that is regulated by the Capital Market, Insurance and Savings Authority, but as of now its involvement in managing the crisis has been limited. The National Cyber Directorate has taken the lead and is effectively in control. At this stage, the authority's main involvement is to ensure the company accurately reports its situation to its clients and board of directors. Once the incident is over it is expected to investigate whether Shirbit acted as it was expected to.
This is the first time the authority has had to deal with an incident of this magnitude, which also means it will need to reach its own conclusions regarding its oversight on the cybersecurity aspect. In addition, it will likely look into whether there is a need to set up a cybersecurity center dedicated to insurance companies similar to the one banks have. In a Bank of Israel survey held last year among senior banking executives, 90% of the respondents said that cybersecurity threats are their biggest concern. The second most pressing concern at 58% was the risk of failing to meet regulatory demands.
In 2018, the authority held a surprise inspection among institutional organizations to examine whether they could be breached. The results of the probe showed that there was a need to improve cybersecurity and included recommendations of how to do so. "It can be said that in general the institutional organizations are acting to strengthen their cybersecurity infrastructure, and in most cases the findings revealed a need to do so, with an emphasis on the extensive changes the cybersecurity world is undergoing and the ever growing threats," the authority wrote at the time.
The authority's findings identified 24 different types of weaknesses in systems which can be utilized for a cyberattack. For example, it was found that extensive valuable information was located on local workstations without protection and that it was possible to upload and download files and information. The question is did Shirbit implement all the authority's recommendations?
4. Lawsuits, fines and reputational damage
Shirbit, which is owned by Igal Ravnof and run by Zvi Leibushor, is an insurance company specializing in elementary insurance (car, apartment, travel) which has a market share of around 2.5% and equity capital of only NIS 250 million (approximately $76.4 million). The company had won several state tenders and it also insures defense sector employees. Shirbit ended 2019 with a profit of NIS 26 million ($7.95 million), but it was hit hard by the Covid-19 pandemic, ending the first half of 2020 with losses of NIS 2 million compared to a profit of NIS 29.1 million in the first six months of the previous year. The losses were the result of the crash in the stock market and the drop in activity due to the crisis. Shirbit is currently focused on ending the hack with as little as damage as possible. However, it will face many additional challenges afterwards, including an investigation by the Capital Market, Insurance and Savings Authority which could end with a fine, lawsuits from clients that have already been filed, and paying the array of experts it hired to deal with the situation. Shirbit is believed to own insurance for cybersecurity damages, so it will be refunded to some extent.
The big question is whether the company will be able to recover from this crisis from a reputation standpoint and regain the trust of its clients. Its attractive low prices will surely no longer be enough to do so.