The Authority for Defending Privacy issued a statement Monday night that it had opened a probe into the actions of multiple parties involved in the Likud’s leak of the personal information of close to 6.5 million Israeli voters.
The statement said that the authority would probe both the Likud officials responsible and third parties hired by the party, who had obligations to protect the personal data.
In addition, the statement said that violators of the law could potentially face criminal or civil penalties depending on their actions.
The personal information of 6,453,254 Israelis was leaked after the Likud Party uploaded the entire Israeli national voter registry to an application, according to Haaretz.
The leaked information includes names, identification numbers, phone numbers and addresses.
Political parties in Israel receive the information of Israeli voters before the elections and must protect their privacy and cannot copy, erase or transfer the registry.
The voter registry was uploaded to the Elector application, which the Likud Party uses on Election Day. A breach in the application allows for the leaking of the voter registry, which can then be downloaded on a computer, according to Haaretz.
The last leak of this size happened in 2006, when an employee at the Interior Ministry stole the population registry and published it illegally.
An anonymous source told Haaretz about the security flaw through which any person could access the entire registry without even needing to use sophisticated tools. Exact instructions were published on how to access the voter registry.
Privacy activists warned about using the application even before the leak, and Haaretz passed the report on to the National Cyber Directorate.
Last week, Prime Minister Benjamin Netanyahu called on Likud supporters to download the application in order to help draft more supporters and voters. The company that developed the application, Feed-b, said that this was “a specific incident that was taken care of immediately, and afterwards security was strengthened substantially.”
According to Tel Aviv-based business newspaper TheMarker, the Elector application allows parties to create databases in a way that breaks the Protection of Privacy Law, because it calls on users to provide private information of possible party voters that isn’t included in the voter registry. It is unclear how much and what type of information was leaked from the Likud database; Haaretz refrained from investigating the matter too deeply in order to avoid breaking the law.
“Like Ecuador, India and other Third World countries, Israel has joined the club of dubious countries that the database of their citizens was leaked to the Internet,” Ron Bar Zik, a senior programmer at Verizon media, told the Israeli business daily Calcalist. Bar Zik found the breach and reported on it to the National Cyber Directorate.
“Every intelligence organization, foreign state or even commercial company can receive data on every person in Israel. I’ve seen many breaches in my life, [but] I’ve never seen such a ridiculous breach like this, which did this much damage,” said Bar Zik.
The Likud Party told Calcalist that “An attempt to damage the means of recruiting Likud voters to vote in the elections was thwarted. In light of this, the security for website operations has been strengthened.” The party stressed that the problem was in an external service provider that provides services for many parties.
In March, both the Likud and Labor parties were using applications that were at risk of major security breaches, according to an inspection by Check Point Software Technologies.
At the time, Mako news reported that the Likud app gives users the means to get personal information on party members using just an ID number. The Labor app uses the contact information on a user’s mobile phone to map his or her family members. Check Point informed the parties of these issues, according to the report.
Likud fixed the breach as soon as it was informed by the company, Mako reported. A Labor spokesperson told the site that Check Point’s claim “is not true.”
Hagay HaCohen contributed to this report.