State voter record breach involves critical information

Data security experts say the security lapse that potentially exposed the Social Security numbers and other personal information of more than 6 million Georgia voters could cause significant damage to consumers if they were to fall into the wrong hands.

The information, including dates of birth and driver’s license numbers, is far more valuable to criminals than the bank card information that has been stolen in several recent high-profile cyberattacks against retailers such as Target and Atlanta-based Home Depot.

Personal identity information can be used over and over and fetch high prices among criminals, while bank cards aren’t as valuable because they can be quickly canceled after a theft.

“When you get a Social Security number and a date of birth, you’ve got everything you need to do tremendous damage to these consumers,” said Stephen Coggeshall, the chief analytics and science officer for data security firms LifeLock and ID Analytics.

Consumers should contact at least one of the three major credit bureaus — Equifax, Experian and TransUnion — to issue fraud alerts, experts said, because criminals could use the information to establish bank accounts, open credit cards or cause other sorts of financial harm.

This week two Georgia women sued Secretary of State Brian Kemp’s office alleging the agency in October improperly released sensitive information to buyers of voter registration data.

News media, political parties and other paying subscribers who legally buy certain — usually less invasive — voter information for research or political campaign purposes were among the 12 recipients.

Typically, the state releases include only names, addresses, ethnicity, gender, registration date, last voting date, and the political party primaries in which they voted.

The Secretary of State’s Office is attempting to retrieve discs sent to 12 buyers in order to secure the data.

Kemp told The Atlanta Journal-Constitution his office “undertook immediate corrective action, including contacting each recipient to retrieve the disc, and I have taken additional administrative action within the agency to deal with the error.”

The AJC was one of the recipients and returned its disc to the agency.

Unlike recent hacks of major retailers or the federal Office of Personnel Management, the breach of Georgia voter data involves information shipped to a known and narrow spectrum of buyers, not criminals who illegally forced their way into organizations’ computer infrastructure.

That “mitigates the seriousness,” Coggeshall said, but if there is “any bad actor who is in those organizations or involved in the transmission or delivery, you might consider that data as truly compromised.”

He said the state should consider doing what many retailers and banks have done after being hacked and provide free credit monitoring from the major bureaus. That could be very costly.

David Barton, an information security expert and a managing partner of the accounting firm UHY Advisors in Atlanta, said the breach demonstrates a “lack of control” in handling the data.

It wasn’t immediately clear whether the improper release originated with the state or a contractor to the Secretary of State’s Office.

Barton said it doesn’t matter.

“There need to be controls before data is released, whether it is assembled in-house or not,” he said.

A mishmash of federal and state laws currently requires companies and government agencies to take steps to protect sensitive personal information and to notify affected people when their data have been inadvertently released.

A bill proposing a federal omnibus law on data breaches, the Data Security & Breach Notification Act, has been knocking around Washington for years, so far without becoming the law.

Most of the existing federal laws are aimed at specific agencies such as the Department of Veterans Affairs or specific types of information, such as hospitals’ handling of patient records or credit card account information held by banks, retailers and payments processors.

The Federal Trade Commission regulates unfair trade practices by businesses, including poor data security practices that put consumers at the mercy of identity thieves and hackers.

But the FTC doesn’t regulate state agencies, making it a gray area as to whether the agency might investigate a contractor operating on the state agency’s behalf, if some fault exists there.

An FTC spokesman declined to comment on the possibility of an investigation.

Similar jurisdiction issues apply to the Federal Communications Commission, which regulates data slips by cable, telephone and Internet providers, and the Consumer Financial Protection Bureau, which weighs in when hackers scoop up credit card records from financial firms.

“Making matters worse, the federal agencies have no authority here,” said David Vladeck, a former head of the Federal Trade Commission’s Bureau of Consumer Protection.

“The FTC, which generally investigates commercial data breaches, has no authority over governmental entities,” said Vladeck, now a professor at Georgetown University’s law school.

The state Attorney General’s Office did not immediately respond to inquiries about whether it would investigate the Secretary of State Office’s handing of the data, or if the Law Department’s Office of Consumer Protection would advise voters about what they should do in the wake of the alleged security lapse.

Staff writer Kristina Torres contributed to this article.

Reader Comments ...

Next Up in Local

21-year-old ID’d who shot self after 5-hour SWAT standoff in DeKalb, police say
21-year-old ID’d who shot self after 5-hour SWAT standoff in DeKalb, police say

Police have identified the man they said took place in a five-hour SWAT standoff Friday night in a DeKalb neighborhood, Channel 2 Action News reported. Blake Howell, 21, allegedly barricaded himself in a home in the 600 block of Valley Brook Road, police told Channel. After about five hours, he allegedly shot himself in the chest and is now in stable...
Police: Driver shot multiple times in aggressive driving incident in Atlanta
Police: Driver shot multiple times in aggressive driving incident in Atlanta

A driver was shot multiple times in the leg Saturday morning after an alleged aggressive driving incident in south Atlanta, police confirmed. Atlanta police responded to the 300 block of Cleveland Street and determined that a man was shot in his car after engaging with other people in another car over aggressive driving, Channel 2 Action News reported...
Atlanta man shot, killed in Pittsburgh, police say
Atlanta man shot, killed in Pittsburgh, police say

An Atlanta man died Thursday after being shot earlier this week in Pennsylvania, authorities confirmed. Antwon Jones, 36, was shot early Monday morning in the Bedford Dwellings section of Pittsburgh’s Hill District, the Pittsburgh Post-Gazette reported. Lamont Pendleton, 40, of the Hill District, was arrested after a brief chase by a Pittsburth...
Reports: Ruptured gas line causes coffee shop blast in South Ga., injuring 3
Reports: Ruptured gas line causes coffee shop blast in South Ga., injuring 3

An explosion destroyed a coffee shop and seriously injured three people in South Georgia Friday, authorities confirmed. Investigators determined a nearby construction crew installing fiber optic cable ruptured an underground gas line, causing natural gas to leak into a sewer line connected to the coffee shop, Glenn Allen, Georgia Insurance and...
Duke University says Robert E. Lee statue won't return to chapel entrance
Duke University says Robert E. Lee statue won't return to chapel entrance

Duke University announced the spot where a statue of Confederate Gen. Robert E. Lee once stood will remain empty.  >> Read more trending news  A year ago on Aug. 19, crews removed the statue from the iconic chapel entrance. The removal came several days after the statue was defaced in the wake of the protests that turned violent...
More Stories