The Likud has uploaded the full register of Israeli voters to an application, causing the leak of personal data on 6,453,254 citizens. The information includes the full names, identity card numbers, addresses and gender of every single eligible voter in Israel, as well as the phone numbers and other personal details of some of them.
Israeli political parties receive personal details of voters before the elections and commit to protecting their privacy, as well as not to reproduce the registry, not to provide it to a third party, and to permanently erase all the information once the election is over.
The voter registry was uploaded by Likud to the Elector app, which is used by the party to manage Election Day. The firm that developed the application, Feed-b, commented that the vulnerability was a “one-off incident that was immediately dealt with," and that security measures have since been boosted.
The Likud has yet to respond to a request for comment.
According to information obtained by Haaretz, as well as Noam Rotem and Ido Kenan of the Cybercyber podcast, a vulnerability in the application allowed for anyone to easily download the entire voter registry. The only known leak of a similar magnitude occurred in 2006, when an Interior Ministry employee stole the population registry and distributed it illegally.
Haaretz received an anonymous tip about the security lapse, allowing anyone to obtain the leaked information in its entirety without using sophisticated tools. Right-clicking on the Elector app's home page and choosing "view source" revealed the original code of the internet page. The code revealed all the usernames and passwords of system admins, allowing one to log in and download the registry.
The anonymous tipper also provided Haaretz with personal details of powerful people in Israel. It is unknown how many people gained access to the data and downloaded it. However, the application has users in various countries abroad, among them the United States, China, Russia and Moldova.
- Twitter says Iran, Israel may have accessed users' phone numbers
- Israel High Court allows Arab lawmaker to run for Knesset, overrules election panel
- Breaches of Israel's biometric database kept secret until watchdog happened upon reports
Privacy advocates warned about use of the application even before the leak. Upon learning of it, Haaretz informed the National Cyber Directorate, which in turn reported it to the Privacy Protection Authority.
The application is the end product of a computerized system for election management, which was developed and operated by Feed-b. The system allows the sending of text messages and the managing of data about voters and voting stations.
Last week, Prime Minister Benjamin Netanyahu called on Likud supporters to download the app to help the party.
TheMarker and the online media affairs magazine Ha’ayin Hashivi’it revealed in recent days that the app, which Shas and Yisrael Beiteinu also use, enables the creation of databases that violate the privacy protection law because it invites users to provide additional information about the names of acquaintances who might vote for Likud – including their telephone number (which is not included in the voter registry).
Thus, thanks to Likud members, much more information that had been in the hands of the party was revealed in the massive leak. It is not entirely clear which additional information was included in the database, and Haaretz declined to conduct a more comprehensive check lest it violate the law.
Dr. Anat Ben David, a senior lecturer in the Open University’s department of sociology, political science and communications, and Nir Yasur, an expert on analyzing information systems, reviewed the system and discovered that anyone could download the app, use it and easily identify an existing user. In the wake of the discoveries, attorneys Shahar Ben-Meir and Yitzhak Aviram petitioned the Central Elections Committee to issue a temporary restraining order against use of the application.
Likud has been involved in previous information security scandals, and the party’s database of its own voters has leaked a number of times to the web. The party’s primary system was also hacked, allowing any user connected to the internet to make changes to it. In the current affair, the details of all citizens were leaked, regardless of whether they were affiliated to Likud.