A significant data breach has occurred involving a campaigning site utilized by Likud, the political party led by Israeli Prime Minister Benjamin Netanyahu. The breach has exposed sensitive personal information belonging to approximately 6.5 million eligible Israeli voters, occurring just weeks ahead of the upcoming legislative elections.
In Israel, political parties are granted access to voters’ personal data prior to elections, with the stipulation that this information must be safeguarded and deleted post-election. This regulatory framework obligates political entities to respect the privacy of citizens while ensuring the data is not shared externally.
It has been reported that Likud transferred the complete voter registry to Feed-b, a software development firm, which subsequently uploaded this data to a promotional website (elector.co.il) designed for the voting management application titled ‘Elector.’
Ran Bar-Zik, a cybersecurity researcher, disclosed that the data leak did not result from a security flaw within the Elector application itself. Instead, negligence on the part of Feed-b is to blame, as the firm inadvertently exposed access credentials for the admin panel through an unsecured API endpoint found in the public source code of the website.
According to analyses, these vulnerabilities are reminiscent of techniques described in the MITRE ATT&CK framework, such as initial access and privilege escalation. This incident may have involved the exploitation of open-source information and mishandling of sensitive credentials, providing attackers with an open pathway to access and download the extensive voter database.
The exposed information encompasses a wide range of sensitive data, including full names, identity card numbers, addresses, and gender. Moreover, specific entries contain additional personal details such as phone numbers and the names of family members.
Currently, while the compromised Elector website remains down for many users, reports indicate that the software company has addressed the vulnerability. However, uncertainties linger regarding the actual number of individuals who may have accessed or downloaded the exposed voter information before the breach was mitigated.
In response to this alarming incident, the Israeli Justice Ministry’s Privacy Protection Authority (PPA) has initiated an investigation to assess the impact and pinpoint the failures leading to this substantial data leak. The outcome of this inquiry may provide critical insights into data management practices that are essential in safeguarding voter information.
As the technology community continues to scrutinize this incident, it serves as a compelling reminder of the importance of robust cybersecurity measures in protecting sensitive personal information from inadvertent exposure and malicious exploitation in an increasingly connected world.
