Report: Major Security Breach in the Jerusalem Electricity Company, Tens of Thousands of Palestinian IDs Exposed

Report: Major Security Breach in the Jerusalem Electricity Company, Tens of Thousands of Palestinian IDs Exposed
James Taylor
Posted: May 7, 2019

As part of his work at the SafetyDetective Research Lab, Israeli hacker and activist Noam Rotem has recently uncovered a major security breach in the system of JDECo, the Jerusalem District Electricity Company.

Established in 1956, the company provides power to tens of thousands of customers in Jerusalem, Bethlehem, Ramallah, and Jericho. Private households and local businesses make up a large percentage of the company’s customer base.

Report: Major Security Breach in the Jerusalem Electricity Company, Tens of Thousands of Palestinian IDs Exposed

From the JDECo Facebook page

Sensitive Data Exposed

As the JDECo system was fully exposed, the hacker was able to easily gain access to customer data – from full names, addresses, and telephone numbers, to photos of ID cards and other private information.

The database contained tens of thousands of ID cards:

Sensitive Data ExposedSensitive Data Exposed

In addition to this personal data, it was also very easy to find information regarding bills, payment history, power malfunctions, service calls, and so on.

Here, we can see a list of open service calls.

Sensitive Data Exposed

The system is hosted on the Israel Electric Company IP range:

Sensitive Data Exposed

Anyone Can Be an Admin

Security measures on the servers were so poor,  the hacker was even able to obtain admin access.

Some of the admin files do not check for permissions or any kind of authentication, meaning they could be accessed and opened by anyone, no username or password necessary.

Specifically, the file adduser.aspx allows adding new users and granting them with admin permissions.

Once this file was accessed, all the hackers had to do was fill out this form to create a new user:

Anyone Can Be an Admin

Once the user was created and titled “Admin,” full access to the system was granted. In addition to customer billing info and payment history, a user with admin permissions can view employee information, devices, and much more.

Anyone Can Be an Admin

With admin access come full editing permissions, so employees could be added and deleted, and all their personal information could be viewed and modified.

Anyone Can Be an Admin

As for customer information, the billing status of accounts could be changed, and debts could be “cleared” with a click of a mouse.

Anyone Can Be an Admin

When attending to power malfunctions and other issues, company employees sometimes take photos of meters. Those were accessible as well:

Anyone Can Be an Admin

As were photos of specific malfunctions.

Anyone Can Be an Admin

Ethical Hacking in the Middle East

In the midst of this region of conflict, an Israeli hacker – the same one who warned us all about Bibi’s bots – immediately reached out to JDECo, a company supplying power to 30% of the households in the West Bank and East Jerusalem, to alert them of the severe security breach in their system.

In this day and age, ethical hacking has the power to bridge between communities.

Our security experts were happy to provide guidance and information on how to fix all the problems. We suggested securing the web server, transferring to proper MVC architecture, checking all scripts, implementing proper protocols, using a proper API key, and performing regular security checks.

We’re glad to report that JDECo took our suggestions to heart and resolved most security issues.

About Us

SafetyDetective.com is the world’s largest antivirus review website. The Safety Detective research lab is a pro bono service that aims to help the online community defend itself against cyber threats, while educating organizations on protecting their users’ data.

You may be interested in reading about a major security breach found in hospital and supermarket refrigeration systems, and how Anonymous hackers took down over one million pages on hundreds of corporate websites.

About the Author

James Taylor
James Taylor

James is an expert technology writer with a focus on cyber security and BI.