Next Story

Terrorism and national security will be the focus of debate

New details on Georgia Secretary of State Office’s massive data breach


A long-awaited state report detailing how Georgia gave out more than 6 million voters’ Social Security numbers and other private data put the blame squarely on a employee fired for the breach last month.

That employee, longtime state programmer Gary Cooley, flouted office protocol and policy within Georgia Secretary of State Brian Kemp’s office, according to the internal report about the data breach released Monday by the office and the state Department of Human Resources.

The breach, it said, “was due to Mr. Cooley working outside of and circumventing established policies and procedures,” the report concluded. It called for more training, clearer policies and more active management of sensitive data.

After the report’s late afternoon release, Cooley — who until last month had worked either as a contractor or full-time employee for the state since 1995 — said he wanted more time to go through it and planned to issue a response Tuesday.

The report’s public release was the first full accounting by Kemp’s office of the gaffe. It provided more details about what happened, although it also confirmed much of a narrative provided by Cooley two weeks ago to The Atlanta Journal-Constitution.

It came as Gov. Nathan Deal approved Kemp’s hiring of outside attorneys to help him deal with a lawsuit related to the breach. It also came as a member of Georgia’s congressional delegation called for a federal investigation.

In a statement, Kemp downplayed that call, saying his office “has maintained constant communication with elected officials.”

“The vast majority of legislators approve of the steps we’ve taken to fix the issue,” Kemp said. “We have received particularly good response to (offering to provide) free credit monitoring to anyone who asks for it. Gov. Deal said he felt like my office had taken every step I could, and I appreciate that.”

The report said that in August, the Georgia Department of Revenue requested sensitive data including voters’ Social Security numbers, birth dates and driver’s license numbers in order to “match” entries it had in its database. The report does not say why the Revenue Department wanted to match the numbers, but the request started a chain reaction that led to the breach.

Once the office’s lawyers OK’d the request, Cooley in October contacted PCC Technology Group, an outside vendor tasked with managing voter data for the state, to fulfill the request.

While the agencies had wanted the sensitive information put into a new, secure file created specifically for that purpose, PCC misunderstood the request. Instead, it uploaded the data to an existing statewide voter file that should not have had the information. The report said only Cooley was supposed to have access to the statewide voter file but had shared his user ID with another employee.

That employee was not named in the report.

Days after the upload, the other employee accessed the file and burned it onto compact discs. It is a routine action, since the discs are emailed monthly to groups including the AJC that regularly subscribe to “voter lists” maintained by the state. In all, 12 organizations received those discs, including state political parties, news media organizations and Georgia GunOwner Magazine.

Kemp has said all 12 data discs have either been recovered or destroyed.

Cooley discovered the mix-up Oct. 13. He asked PCC to delete the sensitive data from the voter file, since it wasn’t supposed to go there. Cooley told the AJC he ran a test to confirm it had been deleted. Cooley said he also checked the office’s network to see whether anyone had pulled the file. He said he found no obvious signs it had. He said he did not know another employee had already accessed the file.

According to the report, if Cooley had “chosen to mention the data issue to his supervisor” or others in the office, “the discs likely could have been recovered before they were even mailed,” the report said. “Instead, Mr. Cooley chose to cover up his mistake and remain quiet.”

Cooley two weeks ago told the AJC that he thought he had caught the mistake. He also said the office’s security protocol had already been broken by the other employee.

The other employee, Cooley said, appeared to have put the file directly onto his computer hard drive instead of onto the office’s network, which Cooley said would explain why there was no electronic trace when he looked for it Oct. 13. Cooley also said the employee who mailed the discs was supposed to eyeball the data to confirm it looked right.

The report acknowledged that he didn’t, although blamed Cooley for not providing the office a way to read big data files, including the voter file.

Kemp had already singled Cooley out for what the Secretary of State initially called a “clerical error.” Although the office had previously refused to release Cooley’s personnel record, the report said he had previously been reprimanded for a “tendency to act independently” that included “procedural issues” involving how he handled data.

Yet, the report also noted that the office singled Cooley out in a positive way, giving him special data access “because of his singular and unique institutional knowledge” of the office’s computer system.

While the breach occurred Oct. 13, the office didn’t find out about it until Nov. 13. It also didn’t publicly disclose it until Nov. 18, after the AJC wrote about a class-action lawsuit alleging a massive breach within the office.

Deal on Monday issued an executive order appointing the Troutman Sanders law firm to represent Kemp’s office in the lawsuit. Georgia Attorney General Sam Olens through a spokesman said his office had a conflict with the case, since it also oversees the state’s consumer protection efforts. Olens and Kemp, however, are also considered potential political rivals in the 2018 governor’s race.

U.S. Rep. Hank Johnson, D-Lithonia, on Monday requested that Federal Trade Commission chairwoman Edith Ramirez open an investigation into the breach.

Federal law, Johnson said, regulates how government should handle individual privacy rights in dealing with computerized databases, including the Privacy Act of 1964, the Social Security Act and the Driver’s Privacy Protection Act.

“All three statutes provide for criminal and civil penalties when violated, and there is strong evidence to suggest that these federal statutes were violated in the wake of this massive data breach,” Johnson said in the letter. “It is within the FTC’s authority to take action against entities that fail to protect citizens’ private data.”

Reader Comments ...

Next Up in Georgia Politics

Georgia resets rules on voter challenges after a town got it wrong
Georgia resets rules on voter challenges after a town got it wrong

A recent string of problems over how local officials challenged the registration of Georgia voters can be summed up in the curt, one-page letter that arrived mid-July at Jennifer Hill’s home near Savannah. Even though she had lived there for three years, the tiny town of Thunderbolt wanted Hill to prove her residency because her name did...
Lawmakers begin talks about how to replace Georgia’s aging vote system
Lawmakers begin talks about how to replace Georgia’s aging vote system

A handful of lawmakers began the discussion Friday about what it might take to move Georgia to a new election system, an important but incremental step toward replacing the state’s aging voting machines. The meeting of the state House Science and Technology Committee represents a start. Any decision will likely take a few years and, depending...
Graham-Cassidy obscures deadlines for other key actions on health care
Graham-Cassidy obscures deadlines for other key actions on health care

Nearly one hundred and fifty million dollars to keep Georgia hospitals’ indigent care afloat. Funding for the PeachCare program that along with Medicaid covers about half of Georgia’s kids. Clear answers on Obamacare subsidies that Blue Cross said it needed to keep selling individual plans in metro Atlanta. Those are some things that Congress...
Georgia ethics panel to begin auditing candidates in governor’s race
Georgia ethics panel to begin auditing candidates in governor’s race

After years of mainly investigating issues raised by Georgians, the state’s ethics watchdog agency plans to aggressively audit campaign filings from all the major statewide races coming up. Stefan Ritter, the executive secretary of the ethics commission, said that while some details still have to be worked out, the agency will be auditing the...
From the Right, the advice for Trump is to try diplomacy
From the Right, the advice for Trump is to try diplomacy

A roundup of editorials Friday looks at the idea that kicking North Korea out of the UN would go a long way toward helping the current situation, and that having President Donald Trump negotiate instead of threaten would be the best move to make.  Here are some opinions from the Right. From The Wall Street Journal: If the world community is serious...
More Stories