As many as 7.5 million voter records involved in Georgia data breach


Millions of Georgia voters may have had their personal information compromised for the second time in as many years, as the Federal Bureau of Investigation opened an investigation Friday at Kennesaw State University’s Center for Election Systems involving an alleged data breach.

As many as 7.5 million voter records may be involved, according to a top state official briefed on the information but not authorized to speak on the record. Neither federal officials nor university officials would confirm the scope of the investigation or how many records had potentially been accessed.

State officials found out about the breach Thursday evening, after being notified by the university. The governor’s office said it asked the Georgia Bureau of Investigation to contact the FBI after learning about the scope of the problem.

“After learning of this incident at Kennesaw State University, we reached out to law enforcement,” Georgia Secretary of State Brian Kemp said. “This matter is deeply concerning, but I am confident the FBI working with KSU will track down the perpetrator.”

The university in a statement released Friday afternoon said it was “working with federal law enforcement officials to determine whether and to what extent a data breach may have occurred involving records maintained by the Center for Election Systems.”

“Because this involves a pending criminal investigation, Kennesaw State will have no further comment on this matter and any inquiries should be addressed to the U.S. Attorney’s Office,” the statement said.

The FBI had no immediate comment. A spokesman for the U.S. Attorney’s Office also declined to comment because the investigation is ongoing.

The Georgia Secretary of State’s Office said Friday that the investigation is not related to its own network and is not a breach of its own, separate database containing the personal information of 6.6 million voters currently registered in Georgia. The office referred all other questions to both university and federal officials.

In 2015, the Secretary of State’s Office inadvertently disclosed the Social Security numbers and other private information of more than 6 million registered voters. That data went to 12 organizations, including media outlets and political parties, who regularly subscribe to “voter lists” maintained by the state, although the office later said all 12 discs containing the data were either recovered or destroyed.

The election systems center at the university has since 2002 overseen the state’s election operations and voting machines. It does that work through an agreement with the Secretary of State’s Office. It does not, however, maintain live databases or the state’s official voter registration database.

The collaboration with the center is one of the most unusual election partnerships in the nation. Merle King, the center’s executive director, is respected nationally for his deep knowledge of election systems. The center has only one client — the state – and only a handful of staff and student assistants, yet it has a hand in almost every operation that touches Election Day.

It creates every ballot for every election and tests every single piece of voting equipment used across the state, among other things.

The center also sources every single device known as an electronic poll book (a digital list of eligible voters) used by poll workers in each of the state’s 3,000 precincts to verify voters’ names, addresses and registration.

It pulls those names from the Secretary of State’s Office’s database, although the list at the center is itself not live on the internet. It is instead housed on a closed, internal system at the center. The voting transaction logs kept on those electronic poll books are also not directly housed on the internet but rather on the center’s servers.

That is by design. While anything is possible, the system has different layers of security and controls built into it to limit and detect unauthorized access.

If a breach occurred involving voter records, it would likely have to do with the logs used to create the electronic poll books. It also would likely have come through the university’s own information technology system, given the statement from the Secretary of State’s Office that its network and systems were not involved.

The university’s IT system would have provided the most likely gateway into the center’s servers and into the logs used by the center to build the poll books.

It is unclear, however, exactly how it happened, exactly what information was taken or whether the breach was malicious.

Tony Uceda Velez, the CEO of the Atlanta-based data security company VerSprite, is not involved in the probe but said he would expect federal investigators to cast a wide net in piecing together what happened.

“They’re going to comb through network logs, going to look at server logs, they’re going to look at application logs and they’re basically going to try to piecemeal a time of when the attack happened and what types of activities happened on the network and on those different sources,” Uceda Velez said.

“I know a lot of people at the university and there are a lot of good people there,” he said, “and I’m sure they’re doing the necessary steps around forensic analysis and incident response.”

Staff writer Greg Bluestein and Channel 2 Action News reporter Aaron Diamant contributed to this article.


Reader Comments ...

Next Up in Georgia Politics

Republicans say they have a deal on tax bill
Republicans say they have a deal on tax bill

WASHINGTON — House and Senate Republicans reached an agreement, in principle, on a consensus tax bill Wednesday, keeping the party on track for final votes next week with the aim of delivering a bill to President Donald Trump’s desk by Christmas, according to people briefed on the deal. Sen. John Cornyn of Texas, the majority whip, told...
Trump sends tweet about female senator that critics say is sexually suggestive, demeaning
Trump sends tweet about female senator that critics say is sexually suggestive, demeaning

WASHINGTON — President Donald Trump attacked Sen. Kirsten Gillibrand, D-N.Y., in a sexually suggestive tweet Tuesday morning that implied Gillibrand would do just about anything for money, prompting an immediate backlash. "Lightweight Senator Kirsten Gillibrand, a total flunky for Charles E. Schumer and someone who would come to my office...
In Alabama, the left wonders if there can even be a winner
In Alabama, the left wonders if there can even be a winner

What is the race for the Alabama Senate seat really about? A roundup of editorials Tuesday takes a look at the issue. From The New York Times: The race isn’t necessarily between Roy Moore and Doug Jones. From ABC: If we gather in our own tribes can we ever get to a consensus on anything? From St. Louis Post Dispatch: What would be next? Firing...
Is the price for a vote in the Senate one the right wants to pay?
Is the price for a vote in the Senate one the right wants to pay?

Election Day is here, and we have to look at the cost of Roy Moore as a United States senator. A roundup of editorials Tuesday takes a look at the issue. From Newsmax: The RNC is trading its soul for a vote in the Senate. From The National Review: Alabamians, Moore has done nothing to earn your vote. From al.com: Will Alabama be remembered as a place...
Last WWII veteran in Georgia Legislature, John Yates, dies
Last WWII veteran in Georgia Legislature, John Yates, dies

John Yates, the last World War II veteran to serve in the Georgia General Assembly, has died. He was 96. Yates became one of a small number of Republicans in the Georgia House at the time he was first elected in 1988. After losing re-election, he ran again in 1992 and remained in office until 2016 representing a district based in Griffin. Yates...
More Stories