Data of all 6.5 million Israeli voters gets leaked
Israel’s Privacy Protection Authority said it was looking into what it called a “grave” security lapse by the maker of an app promoted by Prime Minister Benjamin Netanyahu and his Likud party that led to the exposure of personal data of all 6.5 million eligible voters in Israel, including full names and identity card numbers.
The flawed website for the app, called Elector, failed to secure personal details in the voter registry, which also included the address and gender of each voter, even those who did not use it, and in some cases phone numbers as well, the Haaretz newspaper first reported Sunday, raising concerns about identity theft and foreign interference.
The maker of Elector did not immediately respond to an emailed request for comment, but in a statement issued to the Israeli news media, it sought to play down the potential consequences, describing the leak as a “one-off incident that was immediately dealt with” and saying it had since bolstered the site’s security.
The data required essentially no hacking skills to access, and it was unknown how many people had downloaded the registry.
Netanyahu had encouraged supporters to download the app, which offers news and information related to the March 2 election, the third in less than a year after the first two failed to provide an outright winner and efforts to form a coalition came up short. In a statement issued in response to the reports Sunday, the Privacy Protection Authority, a unit of the Justice Ministry, said responsibility for complying with Israeli privacy law involving use of the voter registry “lies with the parties themselves.”
It stopped short of announcing a full-fledged investigation, however, and said it could not give further details at this stage.
Ran Bar-Zik, a developer for Verizon Media who wrote the story the Haaretz published Sunday, was alerted to the breach over the weekend. In an interview Monday, he said he had received a tipoff about the Elector website breach Friday night. The message was sent in English to Cybercyber, a Hebrew podcast that he hosts with two colleagues. As evidence, the tipster included Bar-Zik’s own details and those of his wife and son. “It was spooky,” Bar-Zik said.
Explaining the ease with which the voter information could be accessed, Bar-Zik wrote in a blog post that visitors to the app’s website could right-click to “view source,” an action that reveals the code behind a webpage.
The code revealed the usernames and passwords of site administrators, and using those credentials would allow anyone to log in and download the voter information.
Bar-Zik said he chose the Likud administrator and “Jackpot! Everything was in front of me!”
“When we talk about hacking, we imagine people in hoodies doing technical stuff,” Bar-Zik said. But in the Elector case, he added, no hacking technique was necessary.
One Israeli website said it had been able to access the personal information of, among others, Netanyahu; his wife, Sara; the chief of staff for the Israeli military, Aviv Kochavi; and Nadav Argaman, head of Shin Bet, Israel’s domestic security agency. The leak was believed to be the largest disclosure of Israeli voter information since 2006, when an employee of the Interior Ministry stole the population registry and then published it.
The exposure of the database of Israeli voters could have significant consequences. Databases listing personal information of private citizens can be exploited for a number of purposes, including by criminals looking to make money through identity theft or by foreign state-backed hackers looking to spy on Israeli voters ahead of a critical election.