Israel’s Privacy Protection Authority said it was looking into what it called a “grave” security lapse by the maker of an app promoted by Prime Minister Benjamin Netanyahu and his Likud party that led to the exposure of personal data of all 6.5 million eligible voters in Israel, including full names and identity card numbers.
The flawed website for the app, called Elector, failed to secure personal details in the voter registry, which also included the address and gender of each voter, even those who did not use it, and in some cases phone numbers as well, the Haaretz newspaper first reported on Sunday, raising concerns about identity theft and foreign interference.
The maker of Elector did not immediately respond to an emailed request for comment, but in a statement issued to the Israeli news media, it sought to play down the potential consequences, describing the leak as a “one-off incident that was immediately dealt with” and saying it had since bolstered the site’s security.
The data required essentially no hacking skills to access, and it was unknown how many people had downloaded the registry.
Mr. Netanyahu had encouraged supporters to download the app, which offers news and information related to the March 2 election, the third in less than a year after the first two failed to provide an outright winner and efforts to form a coalition came up short.
In a statement issued in response to the reports on Sunday, the Privacy Protection Authority, a unit of the Justice Ministry, said that responsibility for complying with Israeli privacy law involving use of the voter registry “lies with the parties themselves.”
It stopped short of announcing a full-fledged investigation, however, and said it could not give further details at this stage.
Ran Bar-Zik, a developer for Verizon Media who wrote the story the Haaretz published on Sunday, was alerted to the breach over the weekend.
In an interview on Monday, he said he had received a tipoff about the Elector website breach on Friday night. The message was sent in English to Cybercyber, a Hebrew podcast that he hosts with two colleagues. As evidence, the tipster included Mr. Bar-Zik’s own details and those of his wife and son.
“It was spooky,” Mr. Bar-Zik said.
Explaining the ease with which the voter information could be accessed, Mr. Bar-Zik wrote in a blog post that visitors to the app’s website could right-click to “view source,” an action that reveals the code behind a web page.
The code revealed the user names and passwords of site administrators, and using those credentials would allow anyone to log in and download the voter information.
Mr. Bar-Zik said he chose the Likud administrator and “Jackpot! Everything was in front of me!”
“When we talk about hacking, we imagine people in hoodies doing technical stuff,” Mr. Bar-Zik said. But in the Elector case, he added, no hacking technique was necessary.
One Israeli website said it had been able to access the personal information of, among others, Mr. Netanyahu; his wife, Sara; the chief of staff for the Israeli military, Aviv Kochavi; and Nadav Argaman, the head of Shin Bet, Israel’s domestic security agency.
The leak was believed to be the largest disclosure of Israeli voter information since 2006, when an employee of the Interior Ministry stole the population registry and then published it.
The exposure of the database of Israeli voters could have significant consequences. Databases listing personal information of private citizens can be exploited for a number of purposes, including by criminals looking to make money through identity theft, or by foreign state-backed hackers looking to spy on Israeli voters ahead of a critical election.
“This is a treasure for foreign countries with geostrategic interests in Israel,” Tehilla Shwartz Altshuler, head of the Media Reform Project at the Israel Democracy Institute, a nonpartisan think tank in Jerusalem, told Channel 12 news.
Massive voter databases are one more reason that cybersecurity officials across the world have warned that new technology is best kept out of the hands of election officials and political parties.
Most recommend that new technology, including voting machines and apps used by political parties, be tested for months, or even years before it is deployed to the general public.
Cybersecurity experts specializing in election technology have begun holding specialized sessions at the world’s largest annual conference for hackers, DefCon. During the sessions they hack into voting machines and other technology used during elections around the world in an effort to lay their vulnerabilities bare.
Last week, an app introduced by the Iowa Democratic Party to help tally votes during the Iowa caucus failed on the day of the vote, throwing the first-in-the-nation contest into chaos.
The app, which had been privately developed for the party and had not been tested by independent cybersecurity experts, had been kept a secret by the party until the weeks leading up to the vote.
When it was eventually unveiled, many had trouble downloading and using it. Cybersecurity experts quickly found the app was riddled with bugs and potential vulnerabilities.