IDF cybersecurity failures could lead to stolen identities, warns state comptroller
In sweeping report, Matanya Englman finds lapses in securing soldiers’ dental records and fingerprints, as well as in education, transportation and Tax Authority systems
The Israel Defense Forces is uniquely vulnerable to cyberattacks, which could lead to significant identity theft, warns the state comptroller in a damning report issued Tuesday.
State Comptroller Matanyahu Englman also pointed to cybersecurity failings in Israel’s education system as well as the Tax Authority, transportation infrastructure and water supply.
“The reports we published today are very disturbing in terms of security and in safeguarding all of our personal information,” said Englman in a statement, noting that much of the findings remain secret due to security concerns.
“But what can be revealed is also very disturbing,” he added. “The government must make [dealing with] cyberthreats a top priority… we will continue to monitor the government’s handling of the issue.”
The 33-page report from the State Comptroller’s Office points to “significant gaps” in protecting biometric information held by the IDF, including dental records, fingerprints, and in some cases DNA samples used to potentially identify soldiers killed in action. The report points out that the military has not updated its privacy protection protocols since 1996.
The report also notes that biometric information of deceased soldiers is saved, “leading to fears that hackers could use this information to steal and assume their identities.” Englman points out that some of the IDF databases are protected only at a medium level of cybersecurity, when it should be at the highest level.
In response to the report, the IDF issued a statement noting that it has already begun to study and implement most of Englman’s findings and recommendations to boost the security of its databases.
The military points out that the databases referenced in the report are “located within the classified IDF network, and are not accessible to external parties or exposed to unauthorized parties within the IDF.”
The IDF also noted that its privacy protection protocols, which have not been updated since 1996, “are in the process of being validated and updated,” and that the military will accept the comptroller’s recommendations to continue to do so every few years.
Englman’s report also pointed to cybersecurity failings within the Education Ministry, expressing concerns that grades on the national matriculation exam — as well as the exams themselves — could be easily accessed by hackers.
The report notes that the ministry’s online system is protected by an outdated cybersecurity program, and that the manufacturer of the program stopped supporting that version in 2019.
When it comes to the Tax Authority, the state comptroller warned that it is entirely too reliant on a single external company that is contracted to revamp the computer system that deals with foreign trade. Relying solely on that company, whose own level of cybersecurity protection is unknown, could lead to compromised information, the comptroller suggests.
The report also points out that Israel’s transportation infrastructure and water suppliers are particularly vulnerable to potential cyberattacks.
In 2020, Iranian hackers allegedly targeted Israel’s Water Authority and attempted to increase the amount of chlorine in the water supply to dangerously high levels. Last year the Water Authority hired a cybersecurity company to protect its machinery against potential cyberthreats and ransomware attacks.
Nevertheless, Tuesday’s report pointed out that the Water Authority had not required water suppliers nationwide to operate a system of protection against cyberattacks.