Shirbit insurance breach by Black Shadow
The Black Shadow group breached Israeli insurer Shirbit, stealing ID cards, passports, financial and medical documents, and demanded a bitcoin ransom that escalated toward $1 million. When Shirbit refused, the attackers leaked customer data in stages.
- Victim
- Shirbit Insurance
In late November 2020, a previously little-known group calling itself Black Shadow breached the Israeli insurer Shirbit, then staged a days-long public extortion campaign that became one of Israel's most closely watched cyber incidents โ and an early example of an attack carrying strong signals of state-aligned, ideologically motivated intent rather than pure profit.
What happened
On 30 November 2020, Black Shadow announced via social media that it had compromised Shirbit and obtained the insurer's client database. The group began publishing samples of stolen material โ scanned ID cards, passports, marriage certificates, financial documents, email PST files and audio recordings โ to prove the breach and pressure the company.
The attackers demanded an initial ransom of 50 bitcoin (roughly $950,000 at the time), warning that the figure would double, then double again, with each missed deadline. Negotiation messages were later leaked, with the hackers at one point telling Shirbit to "be a mensch" and pay.
Impact
- Highly sensitive personal documents belonging to Shirbit customers were published in stages and offered for sale on a Telegram channel, exposing victims to identity theft and fraud.
- Shirbit, which notably held insurance contracts for some government employees, faced intense scrutiny over whether sensitive populations had been exposed.
- The company refused to pay, stating it would not negotiate with criminals โ a decision that drew both praise and criticism as more data was dumped.
Attribution
Black Shadow's behaviour โ public leaks, victim-blaming, escalating threats and an apparent willingness to cause harm beyond simple monetisation โ led Israeli analysts to assess the group as likely Iran-linked, rather than a conventional financially-motivated ransomware crew. The same group resurfaced in 2021 with the high-profile Cyberserve/Atraf attack, reinforcing that assessment.
Why it matters
The Shirbit breach was a wake-up call for Israel's financial and insurance sector and for the country's regulators. It demonstrated how an attacker could weaponise deeply personal documents โ not just card numbers โ to inflict reputational and psychological damage, and it foreshadowed a wave of IranโIsrael cyber confrontations in which civilian data became a battlefield. Israel's Capital Market and Privacy Protection authorities used the case to push insurers toward stronger data-security obligations.
Financial impact
Reported costs in USD
Timeline
Black Shadow announces it has breached Israeli insurer Shirbit and begins publishing samples of stolen customer documents.
The group demands an initial ransom of 50 bitcoin (around $950,000), with the amount set to escalate if unpaid by deadline.
Shirbit publicly states it will not pay the ransom; the demand rises toward 100 then 200 bitcoin as deadlines pass.
Black Shadow leaks further batches of sensitive data โ ID cards, marriage certificates, financial and medical records โ and offers data for sale on Telegram.
Israel's Capital Market Authority and Privacy Protection Authority open inquiries into Shirbit's data-security practices.
Sources
- bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/blackshadow-hackers-extort-israeli-insurance-company-for-1-million/
- timesofisrael.comhttps://www.timesofisrael.com/hackers-leak-information-after-insurance-company-refuses-to-pay-ransom/
- jpost.comhttps://www.jpost.com/breaking-news/shirbit-says-it-will-not-meet-black-shadow-hackers-demand-for-payment-651151
- bitdefender.comhttps://www.bitdefender.com/en-us/blog/hotforsecurity/israel-shaken-by-data-leak-after-ransomware-attack-at-shirbit-insurance-company