Nearly 100,000 pres. pardon applicants’ records exposed to wartime cyber threats, report finds

The President’s Residence holds large amounts of information, including especially sensitive data on nearly 100,000 pardon applicants. Damage to those systems could harm privacy, the reputation of the institution, and the public image of the President’s Residence and the person who stands at the head of the state.

The proper functioning of the President’s Residence depends on the confidentiality, integrity, availability, and survivability of the information in its possession, including the computer systems and communications components that process and store it.

The audit said the President’s Residence’s information and computer systems are central and essential assets that must be protected like any other organizational resource of value. Harm to those systems could cause operational, technological, and financial damage, as well as harm to privacy and to a central symbol of the state.

Among other things, the President’s Residence had not appointed an information-security officer for the databases. It had also not prepared the required database-definition documents, mapped its databases, or prepared an inventory of database systems.

The audit also found that the President’s Residence had not established required procedures regarding access permissions. It did not operate an automated documentation mechanism to monitor access to the database systems.

Since 2019, the President’s Residence has received services from an external supplier for the characterization, development, support, and maintenance of the pardon database. The audit found that the President’s Residence did not act as required under the Information Security Regulations in its engagement with the supplier.

The President’s Residence did not conduct a preliminary examination of the information-security risks involved in the engagement from 2019 onward. The agreement with the supplier also did not clearly specify what information the supplier was permitted to process or the purposes for which the supplier could use it.

The agreement did not specify the systems the supplier was permitted to access or the actions it was authorized to carry out. It also failed to establish a mechanism to return the information to the President’s Residence at the end of the engagement period.

The supplier was not obligated to report to the President’s Residence on its compliance with the Information Security Regulations. It was also not obligated to report a database information-security incident if one occurred.

The President’s Residence transferred pardon requests containing sensitive information to the Justice Ministry and to the Military Advocate General’s Corps by email over the internet, without encryption. The audit found that this method was used even for especially sensitive information.

The information transferred included personal details, personal and family circumstances, and medical, social, economic, and rehabilitative reasoning. By doing so, the President’s Residence acted contrary to the requirements of the Information Security Regulations and the Cyber Defense Doctrine, the report said.

The audit also found that pardon requests sent to the Justice Ministry and to the Military Advocate General’s Corps were stored in the email inbox of the legal bureau at the President’s Residence for an unlimited period. The inbox was not emptied regularly, leaving old pardon requests containing especially sensitive information stored there.

That meant anyone with access to the inbox, such as a system administrator, could be exposed to personal details of pardon applicants over many years, even when there was no need to retain them.

In September 2024, the President’s Residence adopted the guidelines of the government cyber defense unit for the unclassified environment. However, as of June 2025, no steering committee for cyber-defense issues had been established at the President’s Residence.

During the audit, in June 2025, a ministerial steering committee for cyber-defense issues was established for the first time at the President’s Residence. It was chaired by the director-general of the President’s Residence and convened for the first time in early July 2025.

The audit found that central tasks had not been advanced. The management of the President’s Residence had not assessed damage, examined or approved the office risk map, formulated measurable targets for examining implementation of cyber-defense infrastructure, carried out management reviews, or checked the feasibility and execution of activities defined for the cyber-defense management system.

In July 2025, during the audit and about 10 months after the President’s Residence adopted the government cyber defense unit’s guidelines, the residence updated that it had begun carrying out an infrastructure risk survey for the first time. As part of that process, a penetration test was being performed.

The audit found that the President’s Residence had carried out only a partial infrastructure penetration test. It also found that no penetration test had been carried out for applications installed on its computer systems.

The lack of full testing limited the residence’s ability to identify vulnerabilities in its infrastructure and applications. This was especially significant because some computerized systems had reached the end of their life cycle, and some endpoint stations were running expired versions that exposed them to vulnerabilities.

The President’s Residence operates several communications networks and has a disaster recovery plan. However, the audit found deficiencies in its compliance with requirements concerning monitoring of information systems.

Monitoring is a central component of cyber defense because it helps detect unauthorized access, abnormal activity, and possible incidents. Partial monitoring can weaken the ability to respond quickly to a breach or misuse of sensitive information.

The audit also found that some computerized systems at the President’s Residence had reached the end of their life cycle. Some endpoint stations were running expired versions, leaving them exposed to known vulnerabilities.

The management of the President’s Residence did not manage its cyber-defense activity over the years according to dedicated cyber-defense work plans. Its general work plans included some cyber-related tasks, and the 2025 work plan included two tasks related to cyber defense.

The President’s Residence allocated about 15% of its total information-technology budget to cyber defense in 2023. That share dropped to about 5.8% in 2024 and rose to about 11% in 2025.

The report viewed the allocation of cyber-defense budgets in 2023 and 2025 positively. However, it found that the President’s Residence did not maintain a separate record of budgets directed specifically to cyber defense, making it difficult to examine whether it complied with the guidelines of the government cyber defense unit.

State Comptroller Matanyahu Englman said the President’s Residence must continue correcting the deficiencies found in the audit. He said this was necessary to ensure the confidentiality, integrity, availability, and survivability of the information in its possession.

The report warned that harm to systems containing sensitive information on nearly 100,000 pardon applicants could damage privacy, reputation, and the image of the President’s Residence. It said the residence must act to protect the privacy of residents and prevent damage to the institution’s standing.

“The President’s Residence must continue acting to correct the deficiencies in order to ensure the confidentiality and survivability of the information,” Englman said.

The findings come as Israel has faced an increasingly severe cyber threat environment during wartime, including Iranian-linked activity and attacks on public and private entities.

Earlier cyber-related audits and reporting have raised concerns about vulnerabilities in public systems, critical infrastructure, government databases, hospitals, and remote-work environments.