According to The Washington Post, the data was not exposed by the app itself, but the app’s website, which exposed a link to a non-password protected API endpoint. This misconfiguration, ZDNet explains, potentially allowed threat actors to obtain admin account passwords and gain access to the site’s backend, which contained the Israel’s voter registration database.
The exposed data included voters’ full name, phone number, ID card numbers, home addresses, gender, age, gender and the ballot address and number. Additionally, the home addresses belonging to military leaders, security officials and government operatives were also exposed.
To look at the implications of the data loss, Anurag Kahol, CTO of Bitglass provides analysis for Digital Journal.
Kahol begins by putting the issue into context: “This latest security incident involving the exposure of personal information belonging to 6.5 million Israeli eligible voters further exacerbates concerns regarding the security of election systems and supporting infrastructure.”
He then outlines the type of data impacted: “The exposed voter data included full names, addresses, Social Security numbers, gender and ballot addresses, along with other extremely sensitive details. An incident such as this puts the impacted citizens at extreme risk for future attacks such as identity theft, phishing, or strategically using the compromised information to sway their votes.”
Kahol also notes that the data breach issue could have been very serious: “Although this misconfiguration was discovered by a security researcher, there are tools cybercriminals use to detect abusable misconfigurations within IT assets such as a website’s vulnerable API endpoint. Unfortunately, this could have easily been employed by bad actors to compromise the data.”
In terms of preventative actions, Kahol recommends, for both businesses and government agencies: “All organizations, including government agencies and political groups, need to have full visibility and control over their data to prevent these types of misconfigurations and data leaks. To ensure sensitive information is always safe, organizations should look for security platforms that enforce real-time access control, detect and remediate misconfigurations, encrypt sensitive data at rest, manage the sharing of data with external parties, and prevent data loss.”
