Breaking the information in Shirbit: Fear of leaking personal details of senior civil servants

An rare announcement of an incident of information theft by Shirbit customers after a cyber attack was released by the Capital Market Regulator and the Cyber Company. The incident has not yet finished, according to the announcement, and the investigation continues in a collaborative effort by the Authority and the system.

13:53 GMT, Tuesday, 1 December 2020

Along with the National Cyber Network, the Insurance and Savings Capital Market Regulator released an extraordinary and unexpected announcement this morning (Tuesday) of a cyber attack on the Shirbit insurance firm in which personal records were leaked from the company’s employees and clients, including senior civil servants.

Shirbit is a comparatively small insurance firm operated by Zvika Leiboshor and owned by Yigal Rabnoff, the chairman. It was mentioned nearly a year ago that there were contacts for the company’s selling to Clal Insurance, but the contacts did not mature. Of 2000.

Among other items, Shirbit insures public employees and has won a tender to offer private auto benefits to state employees in 2021, “to state employees, their spouses and spouses, as well as state retirees.” on November 10 this year.

For example, a car insurance payment form from 2013 by a district judge, which contains personal information such as a car identification card number and a credit card number, was among the records leaked. Supplementary records carry the dates for the next year – 2020. Although there are no indications that credit card data have been compromised so far the leaked information could cause people to be impersonated for the purpose of committing criminal offenses, such as stealing of funds.

In three tweets that it shared on its Twitter account, the blackShadow hacker community claimed responsibility for the incident. According to the statement, “there was a huge cyber attack by the blackShadow team on the network infrastructure of the insurance company Shirbit, which is located in Israel’s economic literature.” The group confirmed in another tweet that all identities of employees and customers have been hacked.” Another tweet repeated the announcement of the cyber array and the Capital Market Authority. Twitter totally blocked the account of the hacker community after these tweets.

The tweets, which her party says were stolen during the attack, were attached to two documents. Photographs of documents stolen on suspicion of attack, including several sensitive information about the client of the firm, were released. A complete address, details of family members, details of the cars of the insured and more were reported among the details. The second paper is the car licence of the insured. A photocopy of an Israeli citizen’s identification card was also released. The image revealed that the citizen’s full information had been released, but his image was partially blurred.


It is not yet possible to say with certainty, though that the identity of the attackers is actually activists, and that they could be imitations of criminal assault groups, such as hacker groups based in North Korea, for example.

Another explanation is that this is an attack by Iran, disguised in this manner. There has been an extreme and continuing shadow war in the cyber context between Israel and Iran in the past year only a small part of which is prominently publicized in the mass media, and typically no party assumes direct responsibility for its actions.


Among the tweets, the hashtag OpIsrael, which notes that this is an assault by activists with a political motive linked to Israel’s domination over Judea and Samaria, was tagged under a long line of remarks according to which the general meaning of the attack can be interpreted. Attacks against institutions in Israel are carried out by hackers from around the world, and so far these attacks have focused on vandalizing websites and planting pro-Palestinian slogans.

To relay additional messages, additional requests were used. For instance, due to its so-called “poor level of security” the MediumSecurity hashtag is a sting by the attackers against the attacked organization.

A dedicated telegram community was launched for the attack in addition to the posts on Twitter, in which further information of the attack were released and the extent of the harm caused to the business it reported. The telegram reported that in addition to serious damage to the data centers, a significant portion of the company’s registered customers – leaked. The information included customer identity documents, financial statements and other documents related to the company.”

Text archives, a speech log, and a file containing the archive of a full email box were among the documents released on the telegram channel itself to illustrate the information that was leaked as a result of the attack (pst file).

The channel posted a screenshot of a mailbox’s email gui, probably of an employee of a company. The picture is an effort to show that a full email file was hacked by the perpetrators, enabling them to view all the email box material of the victim. The email showed a screenshot of the 2015 vehicle license of an Israeli resident.


The cyber system and the PA have announced that the incident has not yet come to an end and that the investigation is now ongoing with collaborative actions by the PA and the system. “the system has again sharpened, together with the PA, the guidelines for the institutional bodies in the economy.” it was also stated.

There has been a spike in the number of cyber attacks on organisations and private people worldwide following the start of the Corona epidemic, primarily due to the fact that the move to operate from home has provided a broader opening for hackers to carry out attacks on organizations. It should be remembered that nearly all incidents are not disclosed to the public, except for the organizations listed that are expected to record exceptional incidents that occur.


The CEO of the Shirbit Insurance Firm, Zvika Liboshor, claimed in reaction to the incident that The Shirbit Insurance Company places the field of safety and service for its customers at the top of its priorities, and is ranked year after year among the top insurance companies in Israel.”
“In securing databases and defending against cyber threats, Shirbit has spent millions of shekels and meets all the strict regulatory criteria in this regard.

In addition, the organization is now spending all the money and energies required to solve an effective, stable and swift cyber attack, the main purpose of which is to attempt to damage the Israeli economy.
“Full action and transparency with the state authorities and will take all necessary measures to ensure that its customers are safeguarded and that quality and optimum service continues to be provided.”