The Privacy Protection Authority conducted a criminal investigation that revealed an insurance agency that operated a network for trading information about policyholders, the purpose of which was to obtain business information and use it illegally for the purpose of stealing customers. The investigation revealed 11 involved suspects, among them the agency’s managers and the sources it operated within the 3 major insurance companies in Israel.
During the last two years, the insurance agency has employed sales agents in the insurance companies who were employed on a regular basis, for a fee.
A large insurance company received a report from an anonymous source. The suspected insurance agency employs workers in the insurance companies whose job is to systematically collect information from the companies’ policyholders, for a fee. Following the anonymous report, the insurance company contacted the Privacy Protection Authority, which opened a broad criminal investigation against the suspected insurance agency.
The investigative actions included questioning dozens of involved and suspects, among them the managers of the insurance agency who previously worked in insurance companies, conducting searches in a number of locations, including the homes of the key people involved in the case and the offices of the insurance agency, seizing bank documents, cell phones, computers, as well as copying the agency’s databases.
The findings of the investigation revealed that most of the suspects, who knew each other from a prior acquaintance, were instructed to focus on transferring the details of policyholders who paid a monthly premium higher than 300 NIS. The information included the amount and types of insurance the customer purchased, the premiums he paid, date of birth, National ID number, National ID card issue date, full name, phone number, and profession. The transfer of information was carried out by copying the data on the insured from the insurance company’s databases onto paper notes or sending them by email, WhatsApp, and other ways. For each note or message that contained the details of a potential client, the employees of the insurance companies received a sum of 30 NIS, which accumulated to hundreds of thousands of NIS paid by the managers of the suspect agency. The suspects were interrogated for suspicion of committing numerous offenses of invasion of privacy, and now at the end of the investigation, the case has been transferred to the Cyber Department of the State Attorney’s Office for review and a decision regarding the filing of indictments.
Advocate Efrat Hoshen Mandel, head of criminal enforcement at the Privacy Protection Authority said:
“The case revealed crimes that were committed in a systematic and planned manner in exchange for money without the knowledge of the policyholders and with a serious violation of their privacy. Financial information is personal information and action must be taken to ensure that it remains so. The Privacy Protection Authority will continue to conduct a determined fight against those who seek to harm the public’s privacy.”
The criminal investigation carried out by the Privacy Protection Authority, in this case, is one of the enforcement channels in which the Authority operates in the insurance sector. In the coming weeks, the Authority will publish to the public the findings and conclusions of the extensive inspection it conducted at dozens of insurance agencies and insurance companies. This is a significant and sector-wide enforcement channel operated by the Authority to ensure compliance by the entities belonging to this sector with the provisions of the Privacy Protection Law and the regulations pursuant thereto.