State Comptroller Matanyahu Englman on Tuesday released a special report listing a myriad of cybersecurity shortfalls that put numerous state institutions at risk of falling prey to hackers.
Through the services of white-hat hackers, Englman’s office was able to map out vulnerabilities at Israel’s main airport and one Israeli hospital.
Ben Gurion Airport security breach
According to the findings, the Population and Immigration Authority has failed to properly implement a security protocol designed to prevent criminal and terrorist elements, both foreign and domestic, from entering or leaving the country.
The report presents several cases where different groups exploited the weakness in border controls to either enter or exit the country. The ombudsman further noted that the examples do not represent the full extent of the phenomenon and that it is impossible to ascertain how many times, by whom and for what purpose the weakness was exploited.
Old non-biometric passports and ID cards
The state comptroller dedicated a whole chapter to the issue of biometric ID cards and passports, parts of which were redacted due to national security concerns.
According to the report, almost half of Israelis did not make the switch to biometric ID cards despite the state sinking NIS 430 million ($115 million) into the move.
About 45% of Israeli ID card holders still possess the old, easily forgeable version despite the biometric version having been available for almost a decade and becoming mandatory in 2017. Additionally, some 2.9 million Israelis, comprising 37% of all passport holders, still possess non-biometric passports.
Englman warned that the continued use of old documents has criminal and security implications. For example, in the first half of 2022, there were approximately 400 attempts to enter the country using fake identification documents at border crossings.
He also noted that there is a clear correlation between the number of times citizens reported losing their biometric ID cards and requesting a new one and having a criminal record.
Since the introduction of smart ID cards began in June 2013, 3,834 citizens have reported losing or having their smart cards stolen at least three times, with 70% of them having a criminal record. Of those who have made at least eight requests, 100% had a criminal record.
Englman also noted that massive backlogs in the issuance of biometric passports post-pandemic pushed back the schedule for the completion of the transition to the new version by an additional two years.
Millions of attacks a day
The report also found that Israel’s National Insurance Institute (Bituach Leumi) is targeted by millions of cyberattacks on a daily basis.
The institution—which provides a wide range of services including pensions, health insurance, unemployment payments, etc.—employs only 20 people, six of whom are students, in charge of fending off 2.9 million attacks on a daily average.
Given the volume of residents' personal information stored in the National Insurance Institute's servers and the risks of data leaks, Englman recommended classifying the body as part of Israel's critical infrastructure and shoring up its defenses.
Hospitals aren't safe either
The report also pointed out severe vulnerabilities in the servers of an Israeli hospital. The report withheld the name of the hospital out of security concerns.
The revelations are reminiscent of the conditions that led to a 2021 cyberattack that almost completely shut down a northern Israel hospital for days.
Following the audit, the management of the medical center fixed several issues and updated the security of certain systems. According to an estimate, the total cost of fixing the vulnerabilities could amount to over NIS 10 million ($3 million) per year.
The ombudsman also recommended that the Health Ministry as the regulator take action to implement the recommendations across all medical institutions.