You have reached your limit of free articles this month.

Enjoy unlimited access to myAJC.com

Starting at just 99¢ for 8 weeks.

GREAT REASONS TO SUBSCRIBE TODAY!

  • IN-DEPTH REPORTING
  • INTERACTIVE STORYTELLING
  • NEW TOPICS & COVERAGE
  • ePAPER
X

You have read of premium articles.

Get unlimited access to all of our breaking news, in-depth coverage and bonus content- exclusively for subscribers. Starting at just 99¢ for 8 weeks

X

Welcome to myAJC.com

This subscriber-only site gives you exclusive access to breaking news, in-depth coverage, exclusive interactives and bonus content.

You can read free articles of your choice a month that are only available on myAJC.com.

Data breach in Georgia could affect 6 million voters


Georgia Secretary of State Brian Kemp acknowledged Wednesday that his office last month illegally disclosed the Social Security numbers and other private information of more than 6 million registered voters.

Kemp said the data went to 12 organizations who regularly subscribe to “voter lists” maintained by the state, and he was adamant that the “clerical error” did not compromise Georgia’s voter registration system. But the problem didn’t become public until two voters filed a class-action lawsuit alleging a massive data breach.

“It’s very, very scary,” said attorney Jennifer Jordan, who is representing Elise Piper and Yvette Sanders in the suit, which was filed Tuesday afternoon in Fulton County Superior Court. “My information was compromised, and I was kind of dumbfounded.”

Anyone registered to vote in Georgia is affected by the disclosure — some 6.2 million people.

It is not clear whether Georgia officials will seek consumer protections such as credit monitoring for the voters, a decision that could cost the state tens of millions of dollars. Attorney General Sam Olens — whose office oversees the Governor’s Office of Consumer Protection — declined to comment, citing the pending litigation.

Kemp’s office sent what it called “personal identifying information” to 12 organizations, including state political parties, news media organizations and Georgia GunOwner Magazine. The information was sent to the organizations Oct. 13, but officials may not have realized they goofed until 35 days later when they were served with the lawsuit.

That’s when several organizations, including The Atlanta Journal-Constitution, were contacted by investigators from Kemp’s office and asked to return the data discs containing the information. While the AJC and others — including the Georgia GOP and the Democratic Party of Georgia — have since complied with the request, at least one organization — the Libertarian Party — had not as of Wednesday afternoon.

“I am out at my daughter’s shooting competition,” the Libertarian Party’s Doug Craig said in a text when asked whether he would return the disc. “Going to tomorrow … maybe.”

Kemp, however, sought to show his office had gotten control of the situation.

“Our office shares voter registration data every month with news media and political parties that have requested it as required by Georgia law,” Kemp said in a statement. “Due to a clerical error where information was put in the wrong file, 12 recipients received a disc that contained personal identifying information that should not have been included. This violated the policies that I put in place to protect voters’ personal information.

“My office undertook immediate corrective action, including contacting each recipient to retrieve the disc, and I have taken additional administrative action within the agency to deal with the error,” Kemp said.

Kemp didn’t say what he meant by having “taken additional administrative action.” Kemp’s spokesman refused to clarify his comment and wouldn’t say whether anyone was fired for the error.

Experts say the breach could cause big problems.

“What a mess,” said David Vladeck, the former head of the Federal Trade Commission’s Bureau of Consumer Protection, now a professor at Georgetown University’s law school.

“This is a very serious breach involving a huge number of Georgia residents,” Vladeck said in an email. “The types of information released — especially SSNs and driver license records (which generally have addresses, dates of birth, pictures and other uniquely identifying information) — are very, very valuable to identity thieves.”

“At a minimum,” he added, “the state is going to have to take a number of steps to protect the residents affected by the breach, such as paying for credit monitoring.”

Individuals and organizations may legally buy voter lists from the state.

The suit alleges that the unauthorized information released in October in the voter lists involved Social Security numbers, dates of birth and driver’s license numbers. The AJC independently confirmed the inclusion of that data in the October file. The AJC did so by accessing the October data disc, looking up information for one of its staffers and confirming that his Social Security number and driver’s license information were included.

Georgia’s identity theft law, enacted in 2005, requires businesses and state and local government agencies and information brokers to notify affected consumers by telephone, email, written notice or other methods “in the most expedient time possible” after a data breach is discovered.

If more than 10,000 people are affected, the law also requires credit reporting agencies to be quickly notified. For breaches affecting more than 100,000 people, the law requires the business or government agency to send an email alert, post a “conspicuous” notice on its website and notify “major state-wide media.”

The state gave no indication that it plans to notify those whose records were exposed.

While third parties can legally buy the voter lists from the state, the lists are only supposed to include a voter’s name, residential or mailing address, race, gender, registration date and last voting date.

The breach, which the suit says happened internally because of lax controls in Kemp’s office, would be one of the largest ever by a state.

In 2012, a massive data breach reported by South Carolina officials exposed 3.8 million Social Security numbers. At the time, Georgia officials said the state used data encryption and other controls not in place when hackers breached South Carolina’s Department of Revenue.

South Carolina paid Experian $12 million to provide credit monitoring for victims. State lawmakers there also put an additional $25 million into budget for an extra year of credit protection and to upgrade computer security.

Staff writers Greg Bluestein, Aaron Gould Sheinin and Russell Grantham contributed to this article.



Reader Comments ...


Next Up in Georgia Politics

Handel cracks Georgia GOP ‘glass ceiling’
Handel cracks Georgia GOP ‘glass ceiling’

It might not have seemed that way, but the scene at a stuffed Roswell restaurant on the eve of last week’s runoff was a quietly remarkable one. It was the night before the 6th Congressional District vote, and Gov. Nathan Deal was campaigning for a former opponent his staff once described as a spout of “unhinged blather.” Sprinkled...
A new health care debate, Donald Trump, and a spike in breast cancer

Just in time for the renewed, fast-tempo debate over health care in Washington, public health researchers at Georgia State University have produced a pair of studies that help underline just what’s at stake. The more provocative of the two papers has intriguing national implications: In large swaths of the United States, swing areas that handed...
Georgians: Fix health care prices, stop partisanship
Georgians: Fix health care prices, stop partisanship

After the U.S. Senate finally revealed its proposed federal health care bill, advocates revved up their rhetoric with extreme positions, loud cheers and denunciations. “INJUSTICE!” blared the handmade sign of a protester Friday outside U.S. Sen. Johnny Isakson’s office. The Senate’s bill “is morally repugnant,” said...
Will Georgia’s 6th District do this all again in 2018?
Will Georgia’s 6th District do this all again in 2018?

Despite initial relief among Georgia’s 6th District residents that the barrage of campaign ads has come to an end, the reprieve might not last too long. “Now we know what New Hampshire looks like,” said Chip Lake, a GOP consultant based in Georgia. The question is, with 2018 just around the corner, will this year’s astronomical...
Trump signs law making it easier to fire bad VA employees
Trump signs law making it easier to fire bad VA employees

President Donald Trump signed a bill into law Friday that would expedite the process for top officials to fire problematic employees at the long-troubled U.S. Department of Veterans Affairs. The aim of the accountability legislation is to make it easier to root out the bad apples who have helped contribute to the cascade of scandals at the VA, harming...
More Stories