(Bloomberg) -- Israel’s military, tax system and water and transportation networks have inadequate defenses against cyberattacks, according to a report by the state comptroller, which faulted the country esteemed for its cybersecurity prowess for failing to adequately secure some of its own critical infrastructure.

In an audit released Tuesday, and partially redacted for national security reasons, Israeli state comptroller Matanyahu Englman said there were “significant gaps” in the military’s cyberdefenses. He highlighted vulnerabilities in its biometric database that contains hundreds of thousands of dental records, fingerprints and blood samples of current and former Israeli soldiers. 

The army had been ordered to secure the database with high-level cyberdefense measures, but in practice only adopted “mid-level” security, the report said. The armed forces also failed to carry out risk assessments or penetration tests to detect vulnerabilities since the database was established in 2005, he said. 

Cyberattacks are surging in Israel, with weekly attacks on targets in the country climbing to an average of 1,288 per organization so far this year from 811 in 2021, according to research by IT security company Check Point Software Technologies Ltd. Most attacks in the last two years were directed at education and research sites, followed by communications, health care, government and military systems, the Israeli-US cybersecurity firm said. 

Israel is seen as a cybersecurity powerhouse, producing an outsize number of global players, including Check Point and CyberArk Software Ltd. Cyber exports in 2021 rose 61% from the previous year to $11 billion, according to the Israel Export Institute. Data compiled by the Israel National Cyber Directorate in 2021 estimated that 40% of overall private global investment in cybersecurity was sunk into Israeli companies.

The comptroller also criticized the IDF for failing to destroy the biometric data of deceased soldiers, in violation of an order to annually wipe the system of outdated information. He warned of a high risk of identity theft if hackers compromised the database.

“The IDF possesses biometric information of soldiers who died -- there is a concern that hackers will use it to impersonate and steal their identities,” he said in a statement accompanying the report.

The state auditor also evaluated the cyberdefense readiness of water companies. The report said cyber threats to Israel’s water and sewage infrastructure have increased in recent years and confirmed two cyberattacks on the industry in 2020 and 2021, without offering details or naming the attackers. In May 2020, the Financial Times and New York Times, citing Israeli and Western intelligence officials, reported that Iran was behind a thwarted cyberattack on Israel’s water facilities a month earlier. Iran denied the allegations.

Englman said that through December 2021, some of the Israeli water companies received “low scores” on cyberdefense.

The state comptroller also cautioned that Israel was not equipped to handle a large-scale cyberattack targeting its public transportation system. There is a “fundamental systematic and functional problem with all that concerns the State of Israel’s readiness against cyber threats in the transportation sector,” he said.

©2022 Bloomberg L.P.