You have reached your limit of free articles this month.

Enjoy unlimited access to

Starting at just 99¢ for 8 weeks.


  • ePAPER

You have read of premium articles.

Get unlimited access to all of our breaking news, in-depth coverage and bonus content- exclusively for subscribers. Starting at just 99¢ for 8 weeks


Welcome to

This subscriber-only site gives you exclusive access to breaking news, in-depth coverage, exclusive interactives and bonus content.

You can read free articles of your choice a month that are only available on

Data breach in Georgia could affect 6 million voters

Georgia Secretary of State Brian Kemp acknowledged Wednesday that his office last month illegally disclosed the Social Security numbers and other private information of more than 6 million registered voters.

Kemp said the data went to 12 organizations who regularly subscribe to “voter lists” maintained by the state, and he was adamant that the “clerical error” did not compromise Georgia’s voter registration system. But the problem didn’t become public until two voters filed a class-action lawsuit alleging a massive data breach.

“It’s very, very scary,” said attorney Jennifer Jordan, who is representing Elise Piper and Yvette Sanders in the suit, which was filed Tuesday afternoon in Fulton County Superior Court. “My information was compromised, and I was kind of dumbfounded.”

Anyone registered to vote in Georgia is affected by the disclosure — some 6.2 million people.

It is not clear whether Georgia officials will seek consumer protections such as credit monitoring for the voters, a decision that could cost the state tens of millions of dollars. Attorney General Sam Olens — whose office oversees the Governor’s Office of Consumer Protection — declined to comment, citing the pending litigation.

Kemp’s office sent what it called “personal identifying information” to 12 organizations, including state political parties, news media organizations and Georgia GunOwner Magazine. The information was sent to the organizations Oct. 13, but officials may not have realized they goofed until 35 days later when they were served with the lawsuit.

That’s when several organizations, including The Atlanta Journal-Constitution, were contacted by investigators from Kemp’s office and asked to return the data discs containing the information. While the AJC and others — including the Georgia GOP and the Democratic Party of Georgia — have since complied with the request, at least one organization — the Libertarian Party — had not as of Wednesday afternoon.

“I am out at my daughter’s shooting competition,” the Libertarian Party’s Doug Craig said in a text when asked whether he would return the disc. “Going to tomorrow … maybe.”

Kemp, however, sought to show his office had gotten control of the situation.

“Our office shares voter registration data every month with news media and political parties that have requested it as required by Georgia law,” Kemp said in a statement. “Due to a clerical error where information was put in the wrong file, 12 recipients received a disc that contained personal identifying information that should not have been included. This violated the policies that I put in place to protect voters’ personal information.

“My office undertook immediate corrective action, including contacting each recipient to retrieve the disc, and I have taken additional administrative action within the agency to deal with the error,” Kemp said.

Kemp didn’t say what he meant by having “taken additional administrative action.” Kemp’s spokesman refused to clarify his comment and wouldn’t say whether anyone was fired for the error.

Experts say the breach could cause big problems.

“What a mess,” said David Vladeck, the former head of the Federal Trade Commission’s Bureau of Consumer Protection, now a professor at Georgetown University’s law school.

“This is a very serious breach involving a huge number of Georgia residents,” Vladeck said in an email. “The types of information released — especially SSNs and driver license records (which generally have addresses, dates of birth, pictures and other uniquely identifying information) — are very, very valuable to identity thieves.”

“At a minimum,” he added, “the state is going to have to take a number of steps to protect the residents affected by the breach, such as paying for credit monitoring.”

Individuals and organizations may legally buy voter lists from the state.

The suit alleges that the unauthorized information released in October in the voter lists involved Social Security numbers, dates of birth and driver’s license numbers. The AJC independently confirmed the inclusion of that data in the October file. The AJC did so by accessing the October data disc, looking up information for one of its staffers and confirming that his Social Security number and driver’s license information were included.

Georgia’s identity theft law, enacted in 2005, requires businesses and state and local government agencies and information brokers to notify affected consumers by telephone, email, written notice or other methods “in the most expedient time possible” after a data breach is discovered.

If more than 10,000 people are affected, the law also requires credit reporting agencies to be quickly notified. For breaches affecting more than 100,000 people, the law requires the business or government agency to send an email alert, post a “conspicuous” notice on its website and notify “major state-wide media.”

The state gave no indication that it plans to notify those whose records were exposed.

While third parties can legally buy the voter lists from the state, the lists are only supposed to include a voter’s name, residential or mailing address, race, gender, registration date and last voting date.

The breach, which the suit says happened internally because of lax controls in Kemp’s office, would be one of the largest ever by a state.

In 2012, a massive data breach reported by South Carolina officials exposed 3.8 million Social Security numbers. At the time, Georgia officials said the state used data encryption and other controls not in place when hackers breached South Carolina’s Department of Revenue.

South Carolina paid Experian $12 million to provide credit monitoring for victims. State lawmakers there also put an additional $25 million into budget for an extra year of credit protection and to upgrade computer security.

Staff writers Greg Bluestein, Aaron Gould Sheinin and Russell Grantham contributed to this article.

Reader Comments ...

Next Up in Georgia Politics

A purple paint law? Senate backs bill to replace ‘no trespassing’ signs
A purple paint law? Senate backs bill to replace ‘no trespassing’ signs

Georgia property owners could throw away their “no trespassing” signs and instead paint trees and fence posts purple, under legislation passed unanimously Wednesday by the state Senate. Senate Bill 159, sponsored by freshman state Sen. Lee Anderson, R-Grovetown, doesn’t ban anyone from using the familiar signs, but instead adds purple...
Georgia House backs lowering top state income tax rate
Georgia House backs lowering top state income tax rate

The Georgia House overwhelmingly passed a measure Wednesday to cut the state’s top income tax rate. The House voted 126-40 for House Bill 329, which would make Georgians pay a 5.4 percent state income tax. Currently the state has a graduated income tax system, with rates starting at 1 percent and rising to 6 percent as the amount of taxable income...
Georgia House chairman: teacher pensions will cost taxpayers more
Georgia House chairman: teacher pensions will cost taxpayers more

This year’s extra payments to ensure the security of the state’s teacher pension program would be enough to give educators a 5 percent raise or eliminate school “austerity cuts” that have been an annual problem for more than a decade. But now a House committee chairman is warning that the state could wind up nearly doubling...
DeKalb Public Safety Director Cedric Alexander stepping down
DeKalb Public Safety Director Cedric Alexander stepping down

DeKalb County Public Safety Director Cedric Alexander is resigning after a term in which he rose to national prominence as an advocate for improved relationships between police and their communities. Alexander said in a statement Wednesday he’ll step down at the end of March.  “After 40 years, it’s time for a break,&rdquo...
Trump remains firm while also urging unity
Trump remains firm while also urging unity

President Donald Trump revived the populist rhetoric that helped propel his rise to the top of the Republican ticket and later the White House while urging lawmakers to cast aside partisanship to work with him to overhaul the tax code and rebuild the nation’s health care system in his first address before a joint session of Congress. Forty days...
More Stories