Data breach in Georgia could affect 6 million voters

Georgia Secretary of State Brian Kemp acknowledged Wednesday that his office last month illegally disclosed the Social Security numbers and other private information of more than 6 million registered voters.

Kemp said the data went to 12 organizations who regularly subscribe to “voter lists” maintained by the state, and he was adamant that the “clerical error” did not compromise Georgia’s voter registration system. But the problem didn’t become public until two voters filed a class-action lawsuit alleging a massive data breach.

“It’s very, very scary,” said attorney Jennifer Jordan, who is representing Elise Piper and Yvette Sanders in the suit, which was filed Tuesday afternoon in Fulton County Superior Court. “My information was compromised, and I was kind of dumbfounded.”

Anyone registered to vote in Georgia is affected by the disclosure — some 6.2 million people.

It is not clear whether Georgia officials will seek consumer protections such as credit monitoring for the voters, a decision that could cost the state tens of millions of dollars. Attorney General Sam Olens — whose office oversees the Governor’s Office of Consumer Protection — declined to comment, citing the pending litigation.

Kemp’s office sent what it called “personal identifying information” to 12 organizations, including state political parties, news media organizations and Georgia GunOwner Magazine. The information was sent to the organizations Oct. 13, but officials may not have realized they goofed until 35 days later when they were served with the lawsuit.

That’s when several organizations, including The Atlanta Journal-Constitution, were contacted by investigators from Kemp’s office and asked to return the data discs containing the information. While the AJC and others — including the Georgia GOP and the Democratic Party of Georgia — have since complied with the request, at least one organization — the Libertarian Party — had not as of Wednesday afternoon.

“I am out at my daughter’s shooting competition,” the Libertarian Party’s Doug Craig said in a text when asked whether he would return the disc. “Going to tomorrow … maybe.”

Kemp, however, sought to show his office had gotten control of the situation.

“Our office shares voter registration data every month with news media and political parties that have requested it as required by Georgia law,” Kemp said in a statement. “Due to a clerical error where information was put in the wrong file, 12 recipients received a disc that contained personal identifying information that should not have been included. This violated the policies that I put in place to protect voters’ personal information.

“My office undertook immediate corrective action, including contacting each recipient to retrieve the disc, and I have taken additional administrative action within the agency to deal with the error,” Kemp said.

Kemp didn’t say what he meant by having “taken additional administrative action.” Kemp’s spokesman refused to clarify his comment and wouldn’t say whether anyone was fired for the error.

Experts say the breach could cause big problems.

“What a mess,” said David Vladeck, the former head of the Federal Trade Commission’s Bureau of Consumer Protection, now a professor at Georgetown University’s law school.

“This is a very serious breach involving a huge number of Georgia residents,” Vladeck said in an email. “The types of information released — especially SSNs and driver license records (which generally have addresses, dates of birth, pictures and other uniquely identifying information) — are very, very valuable to identity thieves.”

“At a minimum,” he added, “the state is going to have to take a number of steps to protect the residents affected by the breach, such as paying for credit monitoring.”

Individuals and organizations may legally buy voter lists from the state.

The suit alleges that the unauthorized information released in October in the voter lists involved Social Security numbers, dates of birth and driver’s license numbers. The AJC independently confirmed the inclusion of that data in the October file. The AJC did so by accessing the October data disc, looking up information for one of its staffers and confirming that his Social Security number and driver’s license information were included.

Georgia’s identity theft law, enacted in 2005, requires businesses and state and local government agencies and information brokers to notify affected consumers by telephone, email, written notice or other methods “in the most expedient time possible” after a data breach is discovered.

If more than 10,000 people are affected, the law also requires credit reporting agencies to be quickly notified. For breaches affecting more than 100,000 people, the law requires the business or government agency to send an email alert, post a “conspicuous” notice on its website and notify “major state-wide media.”

The state gave no indication that it plans to notify those whose records were exposed.

While third parties can legally buy the voter lists from the state, the lists are only supposed to include a voter’s name, residential or mailing address, race, gender, registration date and last voting date.

The breach, which the suit says happened internally because of lax controls in Kemp’s office, would be one of the largest ever by a state.

In 2012, a massive data breach reported by South Carolina officials exposed 3.8 million Social Security numbers. At the time, Georgia officials said the state used data encryption and other controls not in place when hackers breached South Carolina’s Department of Revenue.

South Carolina paid Experian $12 million to provide credit monitoring for victims. State lawmakers there also put an additional $25 million into budget for an extra year of credit protection and to upgrade computer security.

Staff writers Greg Bluestein, Aaron Gould Sheinin and Russell Grantham contributed to this article.

Reader Comments ...

Next Up in Georgia Politics

First American title pawn pays $225K for alleged violations against Georgia customers
First American title pawn pays $225K for alleged violations against Georgia customers

A Georgia title pawn company is paying about $225,000 to settle allegations that it sued customers who defaulted on loans, threatened customers with arrest warrants and misrepresented itself in advertisements. Georgia Attorney General Chris Carr announced last week that First American Title Lending of Georgia will make the payment in response...
The Left warns that GOP tax reform will help no one but the rich
The Left warns that GOP tax reform will help no one but the rich

Tax reform bills offer a break, the left says, but they are a break for businesses, not families. A roundup of editorials Monday takes a look at the issue.Opinions from the Left:1. For tax reform worthy of the name, make it pro-employmentFrom The Hill: Now, just how is this plan going to help American workers? 2. Tax-Cut Bill to Make Scrooge...
The Right looks forward to the relief promised by tax reform
The Right looks forward to the relief promised by tax reform

Will tax reform bills in Congress offer Americans families a break? A roundup of editorials Monday takes a look at the issue. From The Oregonian: Oregon Sen. Jeff Merkley warns that the tax reform bill isn’t what you may think it is. From The Democrat-Gazette: Arkansas State Sen. Jason Rapert says the tax reform plan is the best shot for reinvestment...
Some ACA premiums fall while others spike; enrollment keeps surging
Some ACA premiums fall while others spike; enrollment keeps surging

Tyrone Jenkins sat in his insurance agent’s office on Friday, relieved about his health insurance. After all the upheaveal and news over skyrocketing Obamacare premiums, Jenkins will actually see his coverage costs plummet next year. He’ll pay less than half in 2018 what he did in 2017 for similar coverage. How can this be? Jenkins doesn&rsquo...
Democrats aim for suburbs in Alabama ahead of Deep South votes
Democrats aim for suburbs in Alabama ahead of Deep South votes

Amanda Wilson has watched with a mix of glee and uncertainty as the imposing homes along this wealthy suburban town’s zigzagging streets has suddenly sprouted Democratic signs. “I’m a blue dot in a big red state,” said Wilson, a 64-year-old retiree. “But I don’t feel as lonely anymore.” Republican U.S. Senate...
More Stories