Israel national cybersecurity leaked the personal data of its own citizens

Data breach incidents know no boundaries. Recently, an information security researcher found that an app employed by the Likud Party, by Israeli Prime Minister Benjamin Netanyahu, leaked the personal data of more than six million voters, equivalent to almost 100% of registered voters in the country.

Ran Bar-Zik, a front-end developer originally from Israel, was responsible for reporting the flaw. The researcher claims that he detected the data breach while reviewing security measures in Elector, an app developed by Feed-b, developed at the request of the Lukid party.

Subsequently, the data breach was confirmed by various local media. According to the information security expert, Elector does not have adequate security measures for the tasks it performs, so the names, addresses, personal identification numbers, among other details of Israeli voters were compromised. All the compromised information was uploaded by the Likud party to the app’s database.

It should be noted that political parties in Israel receive details from voters shortly before the start of electoral processes. Political parties use this data to contact citizens across the country to try to convince them to vote for their party. However, the privacy legislation in force in Israel prevents political parties from posting this information or sharing it with third parties.  

At the conclusion of the elections, parties must permanently delete these databases in order not to violate privacy laws. Just a few days ago, the prime minister invited Likud party workers and supporters to download the app.

No official technical details are yet published; however, a local firm ensures that the vulnerability detected in this app allowed any user to download the entire voter registration in a really easy way, without even using any advanced hacking tool.

According to information security experts, in case someone has the app’s administrator credentials, anyone could log in and download the database. Feed-b, the company that owns the app, described this breach as an isolated incident, and some measures were announced to address the information leak.