The personal data of almost 6.5 million Israeli voters
was leaked online after Likud, the country’s governing party, uploaded the
information to the highly vulnerable Elector application.
Prior to the elections, all parties receive information
about the voters, on the understanding they’ll guard it carefully and destroy
it after the election. It looks like the software used by Likud had a bug that
allowed virtually anyone to download the entire registry.
The Haaretz news publication
received an anonymous tip regarding the security fumble and investigated the
issue, only to find it was real. Basically, the user names and passwords for
system admins were exposed in plain text in the page source of the website. Logging
in and downloading the entire registry was a trivial task.
For now, it’s unclear if anyone downloaded the user
registry. The personal data laid bare online included the full name, identity
card numbers, genders, and even full address along with phone numbers. A total
of 6,453,254 people were affected.
The company that made the app, Feed-b, only said that it fixed
the issue as soon as it learned about it, but gave no other details about possible
intrusions.
The political parties that receive access to the voter
registry used the information in various ways, up to Election Day, sending SMS
messages, tracking voting presence, and more.