In what could be one of the biggest cases of cyber extortion in Israel, eight former Bank Leumi employees threatened to sell information about two million of the bank’s credit card accounts unless they were paid a ransom.
Seven of the suspects were arrested over the weekend, and the eighth, the suspected ringleader extradited from Thailand, landed in Ben Gurion airport on Sunday and will face charges with his fellow conspirators.
The eight had obtained the identity numbers and three-digit security code that appear on the back of credit cards for two million holders of the bank’s Leumi Card. While the suspects could have made online or telephone purchases with this information, Leumi Card said that no accounts had been compromised.
Instead, a former Leumi Card employee, fired a year ago and living in Thailand, sent an email to Bank Leumi threatening to sell sensitive cardholder data he had copied to the highest bidder unless he was paid “millions of shekels”.
After an Israeli cyber-crime unit launched an investigation, Thai authorities compounded his equipment in line with Israeli investigators and rescinded his permit to be in the country.
The breach of security is not the first for Israel’s credit card companies, other were committed by penetrating databases linked to the card issuer’s network.
Leumi Card said it was tightening internal security by barring service representatives from accessing data on card holders.
However, industry sources told the Israeli paper Haaretz that Leumi Card, as well as Israel’s other big issuers of credit cards, CAL and Isracard, were using out-of-date security software rather than Payment Card Industry Data Security Standard, or PCI, the international standard used by Visa, Mastercard and other big issuers.
Israel’s three credit card issuers have been working to update their standards for the past five years, but are about two years away from completing the work, the industry sources said.