Following Likud App Breach, Regulator Descends on Offices of Suspected Developer
A day after Calcalist reported a security breach in a campaign management app used by Israeli ruling party Likud had exposed the country’s voting registrar, the Privacy Protection Authority ordered an inspection at the offices of “one of the companies suspected of being the source of the leak”
Omer Kabir | 10:55, 11.02.20
A day after Calcalist reported the
details of almost 6.5 million Israelis may have been leaked online following a breach in the campaign management app of ruling party Likud, the country’s Privacy Protection Authority has decided to carry out a supervisory process at the offices of “one of the companies suspected of being the source of the leak,” per a Monday announcement from the authority.
Last week, Calcalist’s Hebrew version reported on the two main apps—developed by Elector Software Ltd. and YaYaSoft Software Systems Ltd.—used by political players such as parties and candidates to manage their campaigns and motivate supporters to vote. In an interview done at the time, Tehilla Shwartz Altshuler of Jerusalem-based independent research center the Israel Democracy Institute warned on the lack of regulation in the sector, though the founders of both companies waived security and privacy concerns aside. The Privacy Protection Authority, in response, settled for refreshing its guidelines regarding the use of private citizen information and inviting party representatives to conferences on the issue.
On Sunday, Calcalist reported that a security problem with Elector’s website, used by Likud, enabled anyone with a bit of technical savviness to access the party’s account and receive access to Israel’s entire voting registrar for the upcoming election in March. Activist hacker Noam Rotem and Verizon Media senior developer Ran Bar-Zik, who uncovered the breach in Elector’s system and reported it to the National Cyber Directorate on Friday, told Calcalist on Sunday that the breach was still accessible.
“From what I could gather, the directorate simply passed the report on to the company and settled for its answer that the breach was sealed. There was not even a basic test to check if it was indeed closed, and worse—there was not even a basic test to see which entities used it to obtain the data, and who holds it today,” Bar-Zik told Calcalist.
On Monday evening, the Privacy Protection Authority announced it has sent inspectors to one of the companies suspected to be the source of the leak of the voting registrar, on suspicion of violating privacy protection laws. The authority has also stated it is working with “authorized entities” to prevent further leaks and is also collaborating with other relevant authorities. The responsibility to safeguard citizen privacy is first and first the responsibility of the political parties, even and especially when working with outside vendors, and in cases of violations parties could face civil or criminal charges, the authority said.
The authority’s actions, however, are too little too late. While the Likud party and Elector carry most of the responsibility in this case, as the regulator in charge, the authority also shares in the blame. Especially considering that the writing was on the wall.