The personal information of over six million citizens was leaked after Benjamin Netanyahu’s Likud party uploaded the full register of Israeli voters to an app, Haaretz reported Sunday. The information includes full names, identity card numbers, addresses, genders, phone numbers, and other personal details. The registry was uploaded by Likud to the Elector app, which the party uses on election day. The vulnerability in the application reportedly allowed for anyone to easily download the entire voter registry on a computer. A similar leak happened in 2006 when an Interior Ministry employee stole the population registry and published it illegally. Likud has previously been at the center of security breaches, including multiple web leaks of the party’s voter database. Israeli political parties receive the information of voters before the elections and vow to protect their privacy. They are not permitted to copy, permanently erase, or transfer the registry once the election is over.
App used by Netanyahu's party leaks personal data of over 6 million Israelis https://t.co/HHBk0XzHkL
— The Daily Beast (@thedailybeast) February 9, 2020
Governments around the world collect highly sensitive information on citizens and are thus prime targets for cyberattacks. Government entities should not deploy applications and modern technologies without investing in stringent security strategies that protect critical data. In this incident, every single eligible voter in Israel has had their personal information compromised due to a vulnerability of a website promoting an application.
Misconfiguring a database that contains sensitive information of millions of citizens has massive consequences. All Israeli voters are now vulnerable to phishing, fraud, and other cyberattacks. A database with such a huge trove of data should never have been so easily accessible to anyone on the web.
For traditional industries to adopt new applications successfully, they must change how they are deploying and building applications entirely. Engineering teams have direct access to IT infrastructure and old processes aren’t going to work because the rate of change and the dynamic nature of software-defined infrastructure has outstripped human capacity. Government institutions must adopt modern security strategies that provide the automation essential to enforce policy, reduce error, provide governance, impose compliance, and increase security across the complex IT infrastructure. By utilizing security automation, government bodies can stay agile and innovate while maintaining the integrity of their technology stack.
It is worrisome that an app developed specifically for elections did not have advanced security measures in place — especially when millions of voter records were contained within it. Unfortunately, in this Elector incident, personally identifiable information including names, addresses and phone numbers for over six million voters was left exposed. This data can now be weaponized in future attacks, and it leaves those impacted vulnerable to future fraud.
On top of that, these types of incidents can have real geopolitical ramifications. Exposed voter information could easily lead to fraudulent voting, allowing cyber criminals to manipulate the voting system and potentially elect individuals or pass laws that the population wasn’t going to support. And given how connected our world is — with nuanced diplomatic relations and economic unions — those fraudulently approved officials and laws could then have international ripple effects.
This incident should serve as a wake-up call for other developers of election technology. Just last week, the U.S. had an issue with an app for the Iowa caucuses. While the situation in that case was less about security and more about general functionality of the app, the incident with Elector demonstrates the potential damage of hastily built election applications. And either way, these breaches and malfunctions can infringe upon the trust and confidence citizens have in their government; it could make them wonder how long these types of malfunctions and vulnerabilities have existed and if they’ve managed to compromise past elections.
Cybersecurity around all elections should be a hyper-focus. Given the sensitive nature of the data needed to execute an election and the national and global impacts of the results, developers of election technology — whether it’s an app or something else — need to take the necessary precautions to protect voter data. First and foremost, anyone creating these technologies should employ secure software development and application security best practices. This will help identify and remediate any code-based vulnerabilities before the technology is made available to the public, and it will also assist with maintaining the security of the application as maintenance is performed. And then anyone collecting or storing this information should have real-time monitoring and clear visibility into their operations. This will allow them to rapidly detect and neutralize security threats.
The \”when\” in the popular saying \’its not a matter of if, but when\’ a corporation or government is hacked, is as antiquated as most anti-virus products on the market today. Most nations, and corporations for that matter, are under a constant and present threat of hacking from nation states and rogue hacking groups looking to steal personal identifiable information.
Nations and corporations need to change their mindset immediately and start taking the fight to the adversaries. You can\’t build a wall that is high enough or thick enough to stop hackers because they are persistent and eager to succeed. It is no longer a game of walls but a game of data and controlling your data is the key to staying out of the hacking headlines. Through threat hunting nations and corporations can control the cyber battlefield and stop hackers in their tracks. Control your data and you can control your future.
Any time vast amounts of personal information is being collected, processed, and stored, all aspects of security need to be taken into consideration. Application security remains a concern for a large number of organisations, and not a week goes by where vast amounts of data aren\’t exposed due to misconfigures cloud buckets which set permissions to public.
It\’s important for organisations to realise that there is no step they can take to fix these issues, and neither is there a 7 step plan that can be followed that applies to all scenarios. Rather a culture of security needs to be embedded within organisations so that the right questions are asked at the right time to account for risk and potential exposure, and based on that, ensure that the most effective controls are implemented.
Without this change in mindset, we will continue to see breaches occur. And with so much information digitally available, the impact will only continue to grow.