As many as 7.5 million voter records involved in Georgia data breach


Millions of Georgia voters may have had their personal information compromised for the second time in as many years, as the Federal Bureau of Investigation opened an investigation Friday at Kennesaw State University’s Center for Election Systems involving an alleged data breach.

As many as 7.5 million voter records may be involved, according to a top state official briefed on the information but not authorized to speak on the record. Neither federal officials nor university officials would confirm the scope of the investigation or how many records had potentially been accessed.

State officials found out about the breach Thursday evening, after being notified by the university. The governor’s office said it asked the Georgia Bureau of Investigation to contact the FBI after learning about the scope of the problem.

“After learning of this incident at Kennesaw State University, we reached out to law enforcement,” Georgia Secretary of State Brian Kemp said. “This matter is deeply concerning, but I am confident the FBI working with KSU will track down the perpetrator.”

The university in a statement released Friday afternoon said it was “working with federal law enforcement officials to determine whether and to what extent a data breach may have occurred involving records maintained by the Center for Election Systems.”

“Because this involves a pending criminal investigation, Kennesaw State will have no further comment on this matter and any inquiries should be addressed to the U.S. Attorney’s Office,” the statement said.

The FBI had no immediate comment. A spokesman for the U.S. Attorney’s Office also declined to comment because the investigation is ongoing.

The Georgia Secretary of State’s Office said Friday that the investigation is not related to its own network and is not a breach of its own, separate database containing the personal information of 6.6 million voters currently registered in Georgia. The office referred all other questions to both university and federal officials.

In 2015, the Secretary of State’s Office inadvertently disclosed the Social Security numbers and other private information of more than 6 million registered voters. That data went to 12 organizations, including media outlets and political parties, who regularly subscribe to “voter lists” maintained by the state, although the office later said all 12 discs containing the data were either recovered or destroyed.

The election systems center at the university has since 2002 overseen the state’s election operations and voting machines. It does that work through an agreement with the Secretary of State’s Office. It does not, however, maintain live databases or the state’s official voter registration database.

The collaboration with the center is one of the most unusual election partnerships in the nation. Merle King, the center’s executive director, is respected nationally for his deep knowledge of election systems. The center has only one client — the state – and only a handful of staff and student assistants, yet it has a hand in almost every operation that touches Election Day.

It creates every ballot for every election and tests every single piece of voting equipment used across the state, among other things.

The center also sources every single device known as an electronic poll book (a digital list of eligible voters) used by poll workers in each of the state’s 3,000 precincts to verify voters’ names, addresses and registration.

It pulls those names from the Secretary of State’s Office’s database, although the list at the center is itself not live on the internet. It is instead housed on a closed, internal system at the center. The voting transaction logs kept on those electronic poll books are also not directly housed on the internet but rather on the center’s servers.

That is by design. While anything is possible, the system has different layers of security and controls built into it to limit and detect unauthorized access.

If a breach occurred involving voter records, it would likely have to do with the logs used to create the electronic poll books. It also would likely have come through the university’s own information technology system, given the statement from the Secretary of State’s Office that its network and systems were not involved.

The university’s IT system would have provided the most likely gateway into the center’s servers and into the logs used by the center to build the poll books.

It is unclear, however, exactly how it happened, exactly what information was taken or whether the breach was malicious.

Tony Uceda Velez, the CEO of the Atlanta-based data security company VerSprite, is not involved in the probe but said he would expect federal investigators to cast a wide net in piecing together what happened.

“They’re going to comb through network logs, going to look at server logs, they’re going to look at application logs and they’re basically going to try to piecemeal a time of when the attack happened and what types of activities happened on the network and on those different sources,” Uceda Velez said.

“I know a lot of people at the university and there are a lot of good people there,” he said, “and I’m sure they’re doing the necessary steps around forensic analysis and incident response.”

Staff writer Greg Bluestein and Channel 2 Action News reporter Aaron Diamant contributed to this article.



Reader Comments ...


Next Up in Georgia Politics

Why are people still racist? What science says about America's race problem.
Why are people still racist? What science says about America's race problem.

Torch-bearing white supremacists shouting racist and anti-Semitic slogans. Protesters and counter protesters colliding with violence and chaos. A car driven by a known Nazi sympathizer mowing down a crowd of activists. Many Americans responded to this weekend's violence in Charlottesville, Virginia, with disbelieving horror. How could this happen in...
Before Cabinet ascent, Price was Georgia’s biggest campaign spender
Before Cabinet ascent, Price was Georgia’s biggest campaign spender

Members of Georgia’s U.S. House delegation raised and spent millions of dollars ahead of last year’s election, but the state’s undisputed master of the political money game was former U.S. Rep. Tom Price. The Roswell Republican spent almost $2.5 million in 2015 and 2016, according to an Atlanta Journal-Constitution analysis of...
Georgia congressmen spent millions while cruising to re-election
Georgia congressmen spent millions while cruising to re-election

The money went to luxury fishing trips on the Chesapeake Bay, fundraisers at D.C.’s poshest restaurants and a 75th-birthday blowout at the Tabernacle in Atlanta. There were also tickets to the Masters golf tournament and a hotel room in the Virgin Islands, not to mention a stable of high-level campaign and social media consultants. Georgia&rsquo...
Bannon out at the White House after turbulent run
Bannon out at the White House after turbulent run

Stephen K. Bannon, the embattled chief strategist who helped President Trump win the 2016 election by embracing their shared nationalist impulses, departed the White House on Friday after a turbulent tenure in which he shaped the fiery populism of the president’s first seven months in office. Bannon’s exit, the latest in a string of high-profile...
Georgia will change policy after complaints over notice sent to voters
Georgia will change policy after complaints over notice sent to voters

After facing a legal backlash over sending address confirmation notices to tens of thousands of voters who had moved within the county they had already registered in, Georgia has quietly decided to reverse course. State officials confirmed Friday to The Atlanta Journal-Constitution that Georgia will no longer give those voters a 30-day deadline...
More Stories