State voter record breach involves critical information


Data security experts say the security lapse that potentially exposed the Social Security numbers and other personal information of more than 6 million Georgia voters could cause significant damage to consumers if they were to fall into the wrong hands.

The information, including dates of birth and driver’s license numbers, is far more valuable to criminals than the bank card information that has been stolen in several recent high-profile cyberattacks against retailers such as Target and Atlanta-based Home Depot.

Personal identity information can be used over and over and fetch high prices among criminals, while bank cards aren’t as valuable because they can be quickly canceled after a theft.

“When you get a Social Security number and a date of birth, you’ve got everything you need to do tremendous damage to these consumers,” said Stephen Coggeshall, the chief analytics and science officer for data security firms LifeLock and ID Analytics.

Consumers should contact at least one of the three major credit bureaus — Equifax, Experian and TransUnion — to issue fraud alerts, experts said, because criminals could use the information to establish bank accounts, open credit cards or cause other sorts of financial harm.

This week two Georgia women sued Secretary of State Brian Kemp’s office alleging the agency in October improperly released sensitive information to buyers of voter registration data.

News media, political parties and other paying subscribers who legally buy certain — usually less invasive — voter information for research or political campaign purposes were among the 12 recipients.

Typically, the state releases include only names, addresses, ethnicity, gender, registration date, last voting date, and the political party primaries in which they voted.

The Secretary of State’s Office is attempting to retrieve discs sent to 12 buyers in order to secure the data.

Kemp told The Atlanta Journal-Constitution his office “undertook immediate corrective action, including contacting each recipient to retrieve the disc, and I have taken additional administrative action within the agency to deal with the error.”

The AJC was one of the recipients and returned its disc to the agency.

Unlike recent hacks of major retailers or the federal Office of Personnel Management, the breach of Georgia voter data involves information shipped to a known and narrow spectrum of buyers, not criminals who illegally forced their way into organizations’ computer infrastructure.

That “mitigates the seriousness,” Coggeshall said, but if there is “any bad actor who is in those organizations or involved in the transmission or delivery, you might consider that data as truly compromised.”

He said the state should consider doing what many retailers and banks have done after being hacked and provide free credit monitoring from the major bureaus. That could be very costly.

David Barton, an information security expert and a managing partner of the accounting firm UHY Advisors in Atlanta, said the breach demonstrates a “lack of control” in handling the data.

It wasn’t immediately clear whether the improper release originated with the state or a contractor to the Secretary of State’s Office.

Barton said it doesn’t matter.

“There need to be controls before data is released, whether it is assembled in-house or not,” he said.

A mishmash of federal and state laws currently requires companies and government agencies to take steps to protect sensitive personal information and to notify affected people when their data have been inadvertently released.

A bill proposing a federal omnibus law on data breaches, the Data Security & Breach Notification Act, has been knocking around Washington for years, so far without becoming the law.

Most of the existing federal laws are aimed at specific agencies such as the Department of Veterans Affairs or specific types of information, such as hospitals’ handling of patient records or credit card account information held by banks, retailers and payments processors.

The Federal Trade Commission regulates unfair trade practices by businesses, including poor data security practices that put consumers at the mercy of identity thieves and hackers.

But the FTC doesn’t regulate state agencies, making it a gray area as to whether the agency might investigate a contractor operating on the state agency’s behalf, if some fault exists there.

An FTC spokesman declined to comment on the possibility of an investigation.

Similar jurisdiction issues apply to the Federal Communications Commission, which regulates data slips by cable, telephone and Internet providers, and the Consumer Financial Protection Bureau, which weighs in when hackers scoop up credit card records from financial firms.

“Making matters worse, the federal agencies have no authority here,” said David Vladeck, a former head of the Federal Trade Commission’s Bureau of Consumer Protection.

“The FTC, which generally investigates commercial data breaches, has no authority over governmental entities,” said Vladeck, now a professor at Georgetown University’s law school.

The state Attorney General’s Office did not immediately respond to inquiries about whether it would investigate the Secretary of State Office’s handing of the data, or if the Law Department’s Office of Consumer Protection would advise voters about what they should do in the wake of the alleged security lapse.

Staff writer Kristina Torres contributed to this article.



Reader Comments ...


Next Up in Local

Atlanta man’s code on Army computer cost taxpayers $2.6M
Atlanta man’s code on Army computer cost taxpayers $2.6M

An Atlanta man was convicted Wednesday of placing malicious code on a U.S. Army computer that eventually cost taxpayers about $2.6 million, a federal prosecutor’s office said. Mittesh Das, 48, was found guilty of knowingly transmitting malicious code with the intent to cause damage to an Army computer, John Stuart Bruce, U.S. attorney for the...
Second suspect arrested in deadly shooting of man in front of son
Second suspect arrested in deadly shooting of man in front of son

Police have arrested the second suspect in the case of a man who was shot to death in Gainesville in front of his 15-year-old son. Marquis Lejon Studivant, 27, was arrested Friday after a brief chase, Gainesville police spokesman Kevin Holbrook said Saturday. Dennis Ronald Gayton, 47, was shot April 4 on Carlton Street, police said earlier. The incident...
2 found dead in Gwinnett house
2 found dead in Gwinnett house

Two people were found dead Saturday with gunshot wounds in a Gwinnett County house, police said. Officers responded shortly after noon and found the bodies of a man and a woman in the 1200 block of Bishops Lane in the Lawrenceville area, spokesman David Smith said in a statement. A family member came to the home to check on the two residents but couldn&rsquo...
Repair work continues on key Paulding highway
Repair work continues on key Paulding highway

UPDATE [5:46 p.m.]: U.S. 278 at Metromont Road has been repaired and is back open, Hiram police said in a statement. The water main has been repaired and water has been restored to surrounding businesses. ORIGINAL STORY: Water is flowing again along U.S. 278 in Paulding County, but it could be midday Saturday or later before all traffic lanes reopen...
Warm will be the norm again Saturday
Warm will be the norm again Saturday

Today: Sunshine, afternoon clouds. High: 88 Tonight: Mainly clear skies. Low: 66 Tomorrow: Sunny, afternoon clouds. High: 86 College football will resume with big games in Atlanta and Athens on Saturday. Must be fall, right? Well, for the second straight day, the temperature will feel more like summer, even though fall officially arrived...
More Stories