The database of the Center for the Collection of Fines (MAGAC) includes sensitive information regarding about 3 million debtors and the amounts of debt under its care, amounting to NIS 6.8 billion as of the date of the audit. The State Comptroller's report by Comptroller Matanyahu Engelman shows that although the Center's operational system for collecting fines is defined as a database that requires a high level of security, deficiencies were found in the field of privacy protection and information security in the information systems at the Fines Collection Center of the Enforcement and Collection Authority.
Thus, despite the fact that in 2016 the MAG defined a list of 13 exceptional business events that require individual examination if they were justified, in September 2022 1,391 exceptional events were recorded, of which only 99 (7%) incidents were examined. In addition, the MCC has not updated the list of adverse events in the system since 2016.
Another finding is that the privileges of 14 former call center employees to the MAGC operational system were not removed after termination of their employment within one to 13 months prior to the date of the audit. In addition, the MAG did not act to block the smart cards of employees who completed their work at the call center, and in practice the call center staff uses the cards and passwords of these employees in various cases.
Visitor Engelman, Photo: Oren Ben Hakon
It also emerged that out of 44 permissions for users opened in the designated computerized system (System B) in 2021, 23 permissions (52%) were opened without seeking approval from the authorization administration, as required by the MAG procedure. In addition, 21% of the call center employees, i.e., 20 out of 94, used the system without a smart card associated with them.
The Center for the Collection of Fines, Fees and Expenses in the Enforcement and Collection Authority (MAGA) is the body whose role is to collect debts for the benefit of the State Treasury and public bodies, as well as to collect compensation awarded to crime victims in criminal proceedings. In order to collect the debts, the MAG was granted collection powers, including the requirement of information about the debtor from a public body. In order to act to collect debts efficiently, the work of the MAG is managed through a computerized system that contains an extensive database regarding about 3 million debtors, including, inter alia, names, identity numbers, residential addresses, telephone numbers, details of assets held by debtors, information from the National Insurance Institute, the Licensing Department of the Ministry of Transport and other authorities.
No control performed
With regard to privacy protection and information security, the MAG is required to act in accordance with the provisions of the law, including the Protection of Privacy Law, 1981-<> and the regulations thereunder, government decisions, and the procedures and guidelines of the bodies regulating the subject, including the government's Cyber Defense Unit (hereinafter: "YHAV"), which is a professional guiding body in the field of cybersecurity.
From July 2020, when the MAGC began working through System B, and until the end of the audit in October 2022, no control was carried out over the permissions opened in the system, nor was it checked whether there was a need to remove permissions, due to a discrepancy with the nature of the position or due to a change of position.
All MAMC employees as well as outsourced employees of the call center have access to all the information in the MAGC operational system about the millions of debtors whose data is stored in the system, without examining whether the extent of access to the information is necessary according to their job definition.
Cyber (illustrative), photo: GettyImages
The MAG does not document the access of users of the system to the vast and sensitive information that exists in it and does not monitor it. In this situation, even if there are user exceptions, they cannot be detected and stopped. Permissions for System C, which enables the production of broad reports on the activities of the MAG and detailed information on files, were granted to employees whose job nature does not require access to information in the system. Indeed, nearly 40% of those authorized to system C (20 out of 52) have not used system C at least as of 2021.
Danger of penetration
A penetration test carried out by the Cyber Defense Unit in the government found flaws at the infrastructure level that could pose a significant risk if an infiltration of the organization's network occurs. The audit found that despite the findings of the penetration test, the Enforcement and Collection Authority did not implement a specific technological security solution in its systems, including in the MAG's operational
system.
It should be noted that between September 2021 and October 2022, the State Comptroller's Office examined aspects of privacy protection and information security in the MAG systems. The audit examined the manner in which access is documented, the use and changes in the information systems in the MAGAK, the authorization system for the information systems in the MAGAC, and dealing with the risk of penetration of the information systems. Completion tests were carried out in January and February 2023. The audit was carried out at the Fines Collection Center of the Enforcement and Collection Authority and at the Authority's headquarters. Completion checks were conducted at the Privacy Protection Authority in the Ministry of Justice and at the National Digital Directorate.
Comptroller Engelman recommends that the Enforcement and Collection Authority and the MAGC act as soon as possible in accordance with the instructions of the relevant bodies to prevent information leakage from the organization and to preserve its integrity, with the aim of preventing damage to the integrity of the information and the functional continuity of the MAG in the provision of services, to prevent leakage of data and information from the database and to prevent their exposure to unauthorized parties.
Wrong? We'll fix it! If you find a mistake in the article, please share with us