An Election App Breach Exposed the Personal Data of 6.5 Million Israelis
CTech – “We must win the election,” Prime Minister and Likud party leader Benjamin Netanyahu announced last week at an election rally in Ramla, a city in central Israel. “We are only three seats short,” Netanyahu said. “And what do we need to get those seats? Elector!” Behind Netanyahu, a huge screen lit up with the logo of the election campaign management mobile app developed by Elector Software, a phone number, and the message: “send an SMS, register, and enlist!”
“Get your phones out, take a picture of the number. Elector!” Netanyahu repeated. “Bring it on. With this, we win!”
Some of the political players that worked with Elector include Netanyahu in his Likud primaries against Gideon Sa’ar; far-right party Yisrael Beiteinu; some candidates competing at the Labor party primaries; and several mayoral candidates. Following April 2019’s election — the first bout of the current election cycle — Elector co-founder and CEO Tzur Yamin wrote on his Facebook page that “Elector’s power was, once again, the tiebreaker.” The company’s page is littered with its “wins.” “Another great win of the Elector system: the prime minister defeats Gideon Sa’ar,” it boasts. “Elector’s power proves itself again.”
What Netanyahu didn’t know — what came to light only on Sunday — was that he was shepherding Likud activists toward a serious security breach, one of the worst exposed in Israel in recent years. Elector’s system received access to a huge database from the Israeli voters’ registrar — ID numbers, full names, home addresses, and phone numbers — of almost 6.5 million Israelis that are eligible to vote in the upcoming election on March 2. For several tens of thousands of Likud supporters, the damage is much worse, as Likud volunteers worked for the last month or so to collect additional details on them.
In Elector’s system, once access is granted by the campaign managers, volunteers, and workers, as well as various other position holders, can install the app to their devices and log on with a username and password. The volunteers are asked to round up acquaintances that support the campaign, including family, friends, and neighbors, and assign these people to their own profile. When a volunteer or worker inputs a name, the app does the rest, using its database to link a name to other identifying details. Sometimes, the same name generates multiple identity options, from which the user must choose. Once the process is completed, Elector can link a supporter with his or her ID number.
That connection is crucial on election day. Throughout the day, party representatives on the polling committee can update the app with the numbers and identities of those who have already voted, delivering real-time updates to headquarters. The identities of those who have yet to vote can be fed to campaign call centers who can use the data to nudge them into action. The app can also be used to send WhatsApp messages to supporters who have yet to vote.
Tehilla Schwartz Altshuler of Jerusalem-based independent research center the Israel Democracy Institute has analyzed the main election apps available in Israel. In an interview with Calcalist last week, she warned that “the lacking privacy protection in Israel — dated regulation and lack of enforcement — becomes a ticking bomb on election day.” It is a field that does not get much attention, she said. “The intersection between privacy and elections is untreated in Israel. No one knows what is really getting done, we don’t know what levels of information are in the databases.”
In response, Yamin told Calcalist at the time that it is important to him that Elector meets high standards of privacy and data security. “I can’t take these things lightly, it is something that is very important to me. Personally, I am an Israeli citizen and I wouldn’t want my own information to leak. Professionally, it is my obligation to the parties. If I don’t provide maximal security according to the strictest regulation they would go to my competitors.”
According to Yamin, earlier technologies allowed all volunteers access to voters’ ID numbers and personal details. “The entire voting registrar database was accessible, getting access was as easy as volunteering at some party’s headquarters for a few days. Was it okay? No, but they let it go because they didn’t want to damage the campaigns.” That is one of the reasons he founded the company, he said last week. “I know how sensitive the data is and how important its safekeeping is. I founded Elector because I didn’t want my information out and accessible in so many places, and because the previous solutions were not good enough, accessible enough, or secure enough.”
On Friday, activist hacker Noam Rotem and Ran Bar-Zik, a senior developer at Verizon Media, uncovered the breach in Elector’s system and reported it to the cyber directorate. “Like Ecuador, India, and other third-world countries, Israel has joined that questionable group of countries whose citizen database leaked online,” Bar-Zik told Calcalist Sunday. “Every intelligence agency, foreign country, or even a commercial company can get the information of each and every Israeli citizen. I saw many breaches in my life, but never such a ridiculous one that did so much damage.”
Rotem, who helped Bar-Zik investigate the breach, told Calcalist that it wasn’t a question of whether the information will leak, but of when. “Many privacy activists warned of this issue before, but despite a thousand warning flags, no rules were established and no guidelines were enforced. It is the people, as usual, who will pay the costs of this oversight,” he said.
Bar-Zik and Rotem received word regarding the existence of the Elector breach via the tipline of the podcast Cyber Cyber, co-hosted by Rotem, and according to Bar-Zik, it was incredibly easy to find: first, you must go to Elector’s homepage and ask the browser to display its source code —something that can be done via Chrome. The source code includes an internal link to Elector’s website, with the text “users-admin-get.” Inputting the link in the URL box displayed the system login details of all users with admin access. When Bar-Zik connected to Elector’s system using the admin name “the Likud for the Knesset” (in Hebrew), he was granted access to the entire database the party set up ahead of the election.
In addition to personal details like phone numbers and home addresses, Bar-Zik now had access to the voting number and polling location of every eligible citizen. He himself updated his home address only three weeks before, he said, and yet the database already had his new details.
The breach also gave Bar-Zik access to Likud’s various campaign tools, such as sending SMS messages. The party pre-bought 750,000 messages, and at the time of Bar-Zik’s test, 300,000 had already been sent. Had he wanted, he could have sent the remaining 450,000 messages at that moment. He could have also used the access he obtained to send a push to party volunteers and workers who installed the app — an ability that could be leveraged, for example, to instruct them to install an update that would have in actuality been malicious spyware.
Bar-Zik also received access to statistical information. For example, a slide that displayed the number of supporters and potential supporters inputted into the system. As of February 7, the extended details of over 20,000 Likud supporters and 15,000 potential supporters existed in the system. On January 29, less than 5,000 supporters and only a few potentials were listed, and the day before that — perhaps the day the system was brought online — their number stood at zero. Within two weeks, then, Likud activists inputted the details of 35,000 people.
Much of the blame for this breach should be placed on Elector’s shoulders, but Bar-Zik is unwilling to let the Likud party go scot-free. “They are working with a vendor on which they didn’t do any background checks. This is not a sophisticated breach, it is a ridiculous one,” he said. “When you work with an external vendor, it is 100% your responsibility to make sure they deserve your trust. In the software world, you don’t give away client information to third-party systems, and if you do, it is only for systems you validated. No one undertook such a process in this case, or these failures would have been detected.”
“When the state gives parties access to the most sensitive information about us, and there is no supervision regarding security, a leak is only a matter of time,” Schwartz Altshuler told Calcalist Sunday. “When such a database is leaked, it can become a huge influence engine for countries with geopolitical interests in the area. Access to such databases by, for example, Russia, can enable outside interference in upcoming elections.”
The way the National Cyber Directorate responded to the breach brings up some big questions, Rotem said. “Even though the breach was reported Friday, the system was still online on Sunday, and the information was still accessible,” he said. “From what I could gather, the directorate simply passed the report on to the company and settled for its answer that the breach was sealed. There was not even a basic test to check if it was indeed closed, and worse — there was not even a basic test to see which entities used it to obtain the data, and who holds it today.”
“It is both strange and disturbing that after Israeli parties failed so many times when it comes to the protection of private citizen data, the cyber directorate has yet to establish data security regulation the parties need to meet before receiving the information, and every sub-par company gets its hands on Israel’s entire citizen database,” Rotem said.
A spokesperson for Elector told Calcalist that the matter was an isolated incident that was handled immediately, and security was increased significantly after.
A spokesperson for the Likud party told Calcalist that “an attempt has been made to sabotage the efforts to enlist Likud supporters to vote in the election. As a result, the security for the websites was increased.” The spokesperson added that “it must be emphasized that the vendor in question is an external one that provides services to many parties.”