[BreachExchange] 20 Israelis sue Likud over app breach that led to massive data leak

[Destry Winant]

https://www.timesofisrael.com/20-israelis-sue-likud-over-app-breach-that-led-to-massive-data-leak/

A group of 20 Israelis filed a NIS 1 million ($286,370) lawsuit on
Sunday against Prime Minister Benjamin Netanyahu’s Likud party and the
developers of an app it used to register voters ahead of the
parliamentary election, after massive data breaches leaked the
personal information of millions of citizens.

The plaintiffs argue in their suit that the use of their information
by Likud and by the Elector company, whose application the party
purchased, violated their privacy.

“The lawsuit is intended to show that those who do not safeguard the
privacy [of others] will consequently feel it in their wallets,” said
the attorney representing the plaintiffs, Jonathan Klinger, in a
statement.”Additionally it reminds other players in society that if
they also violate citizens’ privacy there will be someone to come and
sue them.”

The plaintiffs argued that while the ramifications of the consecutive
data breaches won’t be known for several years, such leaks in the past
have led to “identity theft, impersonation and even tampering with
national security.”

Screenshot of the website of the Elector elections data app, taken
February 10, 2020.

Twice in two weeks last month, Likud’s online voter-tracking efforts
have resulted in leaks of the entire database of Israeli voters,
including names, home addresses and other details, to the wider
internet.

The first breach was one of the largest and most compromising leaks of
Israelis’ personal information in the nation’s history, leading to the
party being investigated by authorities for possible violations of
election privacy laws.

A petition filed to the Central Elections Committee accused Likud of
using its access to the official voter registry to create a database
of all voting-age Israelis that it then made available to its
grassroots activists through the publicly available app Elector. The
app is intended to enable political parties to conduct real-time
data-crunching on election day, showing vital ground-game information
on individual voters, polling stations (including rates of support for
a party by station) and regions. But a flaw in the app’s web interface
gave “admin access” to the entire database, allowing anybody to access
and copy the Israeli voter registry, along with additional information
gathered by Likud about hundreds of thousands of voters.

The exposed database includes the full name, sex, home address and in
many cases cellphone number and responses to political polling for 6.5
million Israeli adults.

The second leak was caused by faulty data protection on Elector, which
Likud used to register and assign its election-day observers to ballot
stations around the country.

There has been no immediate evidence that the exposed information was
downloaded by foreign actors before the vulnerability was discovered.

Illustrative: Officials count the remaining ballots from soldiers and
absentees at the parliament in Jerusalem, a day after the general
elections, April 10, 2019. (Noam Revkin Fenton/Flash90)

Likud called the second leak part of a series of “criminal attack
attempts against Likud websites” that were being carried out by
“criminals acting systematically to harm Likud and the electoral
process. Likud has filed yet another complaint with the police and we
expect swift action to catch the criminals.”

The Justice Ministry’s Privacy Protection Authority launched
investigation into the latest breach. The National Cyber Directorate
is also taking part in the investigation.

Senior judges and law enforcement officials were among the individuals
whose political leanings were listed in the leaked database,
information security researchers found.

Officials are now looking into possible breaches of privacy laws —
including handing over the voter registry to the programmers of
Elector. Israeli election law gives political parties access to the
registry, but forbids handing it to a third party.

Elector was used by other parties as well, including Yisrael Beytenu
and in a limited way by some primary candidates in the Labor party
over the past year. But Likud was the only one known to have
outsourced its voter data wholesale to the app, and Netanyahu has on
many occasions urged party activists to use it, saying it would “give
us victory” on election day.

Prime Minister Benjamin Netanyahu, center, blows a kiss to the crowd
as he’s surrounded by activists during a gathering to show support for
him as he faces corruption investigations, held at the Tel Aviv
Convention Center, August 9, 2017. (AFP/Jack GUEZ/File)

Likud’s lax data security combined with its fervent embrace of
big-data methods for its campaign have drawn a torrent of criticism,
especially since past mistakes do not seem to have improved the
party’s handling of voter information.

The latest round of missteps follows a voter privacy debacle ahead of
the September 17 election. The business journal The Marker reported on
September 9 that it had managed to access Likud’s voter database
(Hebrew link) through a party website, including information the party
had recorded on each Israeli’s relationship to the ruling party. For
example, over 600,000 people were listed as “not supportive.”