The Privacy Protection Authority announced today (Monday) that Derech Eretz Highways, the company responsible for operating Highway 6, has violated the provisions of the Privacy Protection Law and its regulations. The announcement came amid a “serious security incident that led to the disclosure of personal information about its customers.”
As part of the same security incident, which was opened following a report by Derech Eretz Highways, information security vulnerabilities were discovered on its payment site, which allowed the disclosure of a great deal of information from its customers’ invoices. The information provided by the company to the Authority showed that on the page where “invoice payment” was found on the company’s website, it was possible to access customers’ payment invoices and past invoices, including personal information, including first and last name, payment amounts, vehicle location, dates and travel times.
According to the Privacy Protection Authority, due to the fact that the company did not document the access to its systems as required of it it is not possible to know the exact time when unauthorized persons could access the company’s systems. Accordingly, the Authority determined that Derech Eretz Highways did not possess appropriate safeguards. The findings of the supervision procedure carried out by the Authority also show that the company partially mapped the possible risks in the field of information security, but did not act over a period of more than a year to correct the deficiencies found in the penetration tests.
A letter from the authority to the company operating Route 6 stated that companies and organizations in the economy “are required to adopt a dynamic information security policy and that with the development of threats and risks, the organization must carefully examine the updated risks and act accordingly.” As a result, companies and organizations have a duty to update their systems and conduct risk surveys and intrusion tests, in order to examine and prepare for the changing risks. ) “.
“In accordance with the findings of the inspection, the Authority determined that the Company violated the provisions of the Privacy Protection Law and its regulations and also required the Company to perform a number of corrective actions,” the Privacy Protection Authority announced.
The Road 6 (Derech Eretz) company responded: “The issue has been addressed in accordance with the most stringent requirements.”