Voter Data From Likud Party App Leaked for Second Time in One Week

Elector app developer and Likud deny that there was a serious mishap, but the second hack involved disclosure of more information than the first

Netanyau at the Likud campaign launch party in January.
Emil Salman

A second and more serious data breach has been uncovered in the Elector firm’s election software that Likud has been using in its Knesset campaign, as reported by the Calcalist business daily on Sunday.

Both hacking incidents, which occurred within a week of one another, involved the leak of the entire registry of Israeli voters for the March 2 Knesset election, but the latest breach compromised details beyond the voter rolls.

Following the first hacking incident, Elector, the developer of the software, whose system is also used by Avigdor Lieberman’s Yisrael Beiteinu party, claimed that it had been exposed for a matter of seconds. But according to information obtained by Haaretz, and as reported by Noam Rotem and Ido Kenan of the CyberCyber podcast, the two were easily able to hack into the system even after the first incident. They said they were able to access not only the voter rolls, including voters’ addresses and ID numbers, but the full details of Likud election workers and comments that the workers had entered into the system about whether voters were supporters of the party’s leader, Prime Minister Benjamin Netanyahu, or not.

Elector is hosted by Amazon’s cloud computing services and access to the system requires a password of sorts, but Elector’s programmers left the password visible on its site by simply clinking on the option “view source.” Once outsiders obtained that information, they would have been able to enter the Elector system and gain access to copies of the entire database and download it. The operation is not particularly complicated to do.

With regard to the second leak, Elector told Calcalist that it involves an attempt to tarnish the company’s reputation “with baseless information that is the result of a lack of understanding and to create a media buzz over nothing.” The company claimed that the database did not contain sensitive information and that the company is cooperating and working with complete transparency with the relevant officials. “It is impossible to do anything with these keys unless you have the highest level user name from Amazon.” The code that was available to the public was 10 months old, the company said, and was used as a testing tool for potential employees. “In any event it was deleted,” the company added.

In response to Calcalist, the Likud party stated: “Examinations carried out by leading cybertechnology companies that were hired by Likud indicate that there was a hostile attack by an outsider. Likud is working to identify the source of this criminal activity and will consider filing a complaint with the Israel Police.”

Source code from the Elector app page, which reveals the system-admins' username and password

Yisrael Beiteinu told Calcalist: “There is no basis for [the report]. Yisrael Beiteinu is making every effort to protect privacy.”

In response to a petition filed with the Central Elections Committee seeking to bar the Likud from using the Elector app and requiring the party to delete all of the information gathered using the app, on Sunday Attorney General Avichai Mendelblit and the Privacy Protection Authority called for the petition to be dismissed out of hand.

No authority

Mendelblit and the authority acknowledged that there had been "serious security failures" in the use of the app, but said the elections committee has no authority to consider claims regarding alleged violations of privacy protection laws.

The most recent disclosure followed the considerable attention that the first incident attracted around the world, and also raises the possibility that others have hacked into the system if Rotem and Kenan reported being able to do so without difficulty.

Data from the field

The value of the Elector system is the data that can be fed into it by party workers in the field, and in Likud’s case, it has included information about voters’ friends, relatives and coworkers and notations as to who is a Likud supporter and who isn’t. On Election Day, the system can be used to encourage Likud supporters to turn out at the polls and can be adapted to specific potential voters.

The database is also a trove of information of intelligence value. For example, a search of voters by location could be refined to a particular military base around the country. Israel is not the only country where such an incident has occurred but it is the only one where it has occurred twice in a week, an apparent indication that Israeli authorities failed to act after the first incident.