A State Comptroller's report published today (Tuesday) reveals that the National Insurance Institute is exposed to tens of thousands of cyberattack attempts every day.
According to the report, the Mossad's database, which contains the personal details of all Israeli citizens from birth to death, suffers from serious security gaps.
"Especially in times of war - cyber breaches are a given," states State Comptroller Matanyahu Engelman. "We must not wait for our enemies to get their hands on the National Insurance Institute's databases."
The findings indicate a systemic failure in protecting information.
The National Insurance Institute has not updated its information security policy for a decade, despite dramatic changes in cyber risks. Half of the required security managers do not exist at all, and 87% information security regulations are only partially implemented.
The National Insurance Company's Monitoring and Control Center (SOC) is staffed by a single analyst, who is supposed to deal with tens of thousands of alerts per day. The analyst has not undergone any specific training, and the center is not even under the responsibility of the Information Security Division.
The report specifically warns about the lack of penetration tests of the National Insurance Institute's central system. Only 71% of the tests performed were on systems linked to the central system, where all the databases are located. Moreover, deficiencies discovered in the tests were not corrected.
The severity of the situation is heightened in light of a serious information security incident that occurred in February 2022, when the personal information of 2,000 citizens was exposed and accessible to unauthorized persons. The report warns that a cyber incident at the National Insurance Institute could not only harm the privacy of millions of citizens, but also harm the benefit payment system.
The risk is heightened by the transfer of information to many external entities through information sharing systems in which security gaps have been discovered. The National Insurance Institute does not monitor the compliance of the information transferred with what has been approved, and does not stop the transfer of information as required after five years.
The Comptroller determines that the Acting Director General of the National Insurance Institute, the institution's management, and the Cyber Steering Committee, in cooperation with the National Cyber Directorate, must act as soon as possible to map the material cyber risks and formulate a work plan to address the information security gaps.
National Insurance response:
The auditor's report came in the midst of process changes and in-depth staff work with the arrival of a new VP of IT at the National Insurance Institute.
Even though the changes were underway and even though the auditor was told about this and presented with the work plan, the audit took place.
This is why the report does not address cyber incidents or information leaks as a result of negligence, and the main focus of the review is solely on administrative aspects, which we also emphasize.
Everything that came up in the report is already in the work plans, some of which have already been completed and upgraded.
English 
Hebrew