A software flaw has exposed the personal data of every eligible voter in Israel — including full names, addresses and identity card numbers for 6.5 million people — raising concerns about identity theft and electoral manipulation, three weeks before the country’s national election.
The security lapse was tied to a mobile app used by Prime Minister Benjamin Netanyahu and his Likud party to communicate with voters, offering news and information about the March 2 election. Until it was fixed, the flaw made it possible, without advanced technical skills, to view and download the government’s entire voter registry, though it was unclear how many people did so.
How the breach occurred remains uncertain, but Israel’s Privacy Protection Authority, a unit of the Justice Ministry, said it was looking into the matter — though it stopped short of announcing a full-fledged investigation. The app’s maker, in a statement, played down the potential consequences, describing the leak as a “one-off incident that was immediately dealt with” and saying it had since bolstered the site’s security.
The flaw, first reported Sunday by the newspaper Haaretz, was the latest in a long string of large-scale software failures and data breaches that demonstrated the inability of governments and corporations around the world to safeguard people’s private information, protect vital systems against cyberattacks and ensure the integrity of electoral systems.
It came less than a week after another app helped make a fiasco of the Democratic presidential caucuses in Iowa, casting serious doubts on the figures that were belatedly reported. That app had been privately developed for the party, had not been tested by independent experts, and had been kept secret by the party until weeks before the caucuses.
The personal information of almost every adult in Bulgaria was stolen last year from a government database by hackers suspected of being Russian, and there were cyberattacks in 2017 on Britain’s health care system and the government of Bangladesh that the United States and others have blamed on North Korea. Cyberattacks on companies like the credit agency Equifax, the Marriott International hotel company and Yahoo have exposed the personal data of vast numbers of people.
Those were sophisticated, often government-backed hacking operations, but exploiting the Israeli flaw, linked to an app called Elector, did not require a hacker’s skills.
The government of Israel provides access to the voter registry to political parties, which are required to safeguard its contents. According to Israeli media, Likud, in turn, provided access to Elector Software, the maker of the app.
The Privacy Protection Authority said in a statement that responsibility for complying with Israeli privacy law involving use of the voter registry “lies with the parties themselves.”
Explaining the ease with which the voter information could be accessed, Ran Bar-Zik, the programmer who revealed the breach, explained that visitors to the Elector app’s website could right-click to “view source,” an action that reveals the code behind a webpage.
That page of code included the user names and passwords of site administrators with access to the voter registry, and using those credentials would allow anyone to view and download the information. Bar-Zik, a software developer for Verizon Media who wrote the Sunday article in Haaretz, said he chose the name and password of the Likud party administrator and logged in.
“Jackpot!” he said in an interview Monday. “Everything was in front of me!”
“When we talk about hacking, we imagine people in hoodies doing technical stuff,” he said, but in this case, no hacking skill was necessary.
Bar-Zik said he had received a tipoff about the problem on Friday night. The message was sent in English to Cybercyber, a podcast that he hosts with two colleagues, and as evidence, the tipster included Bar-Zik’s own details from the voter registry, and those of his wife and son.
“It was spooky,” he said.
Netanyahu is in a fight for his political survival, under indictment on corruption charges and facing a third general election in less than a year, after the previous two failed to produce conclusive results.
He had encouraged supporters to download the Elector app. It was not clear if Likud or Elector had violated the government’s standards for keeping data private, or what kind of security testing the app had undergone.
One Israeli website said it had been able to access the personal information of, among others, Netanyahu; his wife, Sara; the chief of staff for the Israeli military, Aviv Kochavi; and Nadav Argaman, the head of Shin Bet, Israel’s domestic security agency.
The last comparable government data breach in Israel occurred in 2006, when an employee of the Interior Ministry stole the population registry and then published it.
Databases listing personal information of private citizens can be exploited for a number of purposes, including by criminals looking to make money through identity theft, or by foreign state-backed hackers looking to spy on or influence Israeli voters before a critical election.
“This is a treasure for foreign countries with geostrategic interests in Israel,” Tehilla Shwartz Altshuler, head of the Media Reform Project at the Israel Democracy Institute, a nonpartisan think tank in Jerusalem, told Channel 12 news.
These huge voter databases are one more reason that cybersecurity officials across the world have warned that new technology is best kept out of the hands of election officials and political parties.
Most recommend that new technology, including voting machines and apps used by political parties, be tested for months, or even years, before being deployed to the public.
Cybersecurity experts specializing in election technology have begun holding specialized sessions at the world’s largest annual conference for hackers, DefCon. During the sessions they hack into voting machines and other technology used during elections in an effort to expose their vulnerabilities.