State voter record breach involves critical information

Data security experts say the security lapse that potentially exposed the Social Security numbers and other personal information of more than 6 million Georgia voters could cause significant damage to consumers if they were to fall into the wrong hands.

The information, including dates of birth and driver’s license numbers, is far more valuable to criminals than the bank card information that has been stolen in several recent high-profile cyberattacks against retailers such as Target and Atlanta-based Home Depot.

Personal identity information can be used over and over and fetch high prices among criminals, while bank cards aren’t as valuable because they can be quickly canceled after a theft.

“When you get a Social Security number and a date of birth, you’ve got everything you need to do tremendous damage to these consumers,” said Stephen Coggeshall, the chief analytics and science officer for data security firms LifeLock and ID Analytics.

Consumers should contact at least one of the three major credit bureaus — Equifax, Experian and TransUnion — to issue fraud alerts, experts said, because criminals could use the information to establish bank accounts, open credit cards or cause other sorts of financial harm.

This week two Georgia women sued Secretary of State Brian Kemp’s office alleging the agency in October improperly released sensitive information to buyers of voter registration data.

News media, political parties and other paying subscribers who legally buy certain — usually less invasive — voter information for research or political campaign purposes were among the 12 recipients.

Typically, the state releases include only names, addresses, ethnicity, gender, registration date, last voting date, and the political party primaries in which they voted.

The Secretary of State’s Office is attempting to retrieve discs sent to 12 buyers in order to secure the data.

Kemp told The Atlanta Journal-Constitution his office “undertook immediate corrective action, including contacting each recipient to retrieve the disc, and I have taken additional administrative action within the agency to deal with the error.”

The AJC was one of the recipients and returned its disc to the agency.

Unlike recent hacks of major retailers or the federal Office of Personnel Management, the breach of Georgia voter data involves information shipped to a known and narrow spectrum of buyers, not criminals who illegally forced their way into organizations’ computer infrastructure.

That “mitigates the seriousness,” Coggeshall said, but if there is “any bad actor who is in those organizations or involved in the transmission or delivery, you might consider that data as truly compromised.”

He said the state should consider doing what many retailers and banks have done after being hacked and provide free credit monitoring from the major bureaus. That could be very costly.

David Barton, an information security expert and a managing partner of the accounting firm UHY Advisors in Atlanta, said the breach demonstrates a “lack of control” in handling the data.

It wasn’t immediately clear whether the improper release originated with the state or a contractor to the Secretary of State’s Office.

Barton said it doesn’t matter.

“There need to be controls before data is released, whether it is assembled in-house or not,” he said.

A mishmash of federal and state laws currently requires companies and government agencies to take steps to protect sensitive personal information and to notify affected people when their data have been inadvertently released.

A bill proposing a federal omnibus law on data breaches, the Data Security & Breach Notification Act, has been knocking around Washington for years, so far without becoming the law.

Most of the existing federal laws are aimed at specific agencies such as the Department of Veterans Affairs or specific types of information, such as hospitals’ handling of patient records or credit card account information held by banks, retailers and payments processors.

The Federal Trade Commission regulates unfair trade practices by businesses, including poor data security practices that put consumers at the mercy of identity thieves and hackers.

But the FTC doesn’t regulate state agencies, making it a gray area as to whether the agency might investigate a contractor operating on the state agency’s behalf, if some fault exists there.

An FTC spokesman declined to comment on the possibility of an investigation.

Similar jurisdiction issues apply to the Federal Communications Commission, which regulates data slips by cable, telephone and Internet providers, and the Consumer Financial Protection Bureau, which weighs in when hackers scoop up credit card records from financial firms.

“Making matters worse, the federal agencies have no authority here,” said David Vladeck, a former head of the Federal Trade Commission’s Bureau of Consumer Protection.

“The FTC, which generally investigates commercial data breaches, has no authority over governmental entities,” said Vladeck, now a professor at Georgetown University’s law school.

The state Attorney General’s Office did not immediately respond to inquiries about whether it would investigate the Secretary of State Office’s handing of the data, or if the Law Department’s Office of Consumer Protection would advise voters about what they should do in the wake of the alleged security lapse.

Staff writer Kristina Torres contributed to this article.

Reader Comments ...

Next Up in Local

3 charged after babies found in house with pot smoke, cops say
3 charged after babies found in house with pot smoke, cops say

Three parents from Coweta County have been charged with reckless conduct after two babies were found in a room filled with marijuana smoke, authorities said.   Newnan police officers found the 3-month-old children in a bedroom of a house on Spence Street where marijuana and drug paraphernalia were found, police said. Mothers April Michelle...
Cops: Ex-employee threatened Kroger workers if he didn’t get final paycheck
Cops: Ex-employee threatened Kroger workers if he didn’t get final paycheck

A former Kroger employee in Alpharetta is accused of calling the store and threatening to kill everyone inside if he didn’t receive his final paycheck, police said. Demarious Merkerson allegedly complained that his last paycheck didn’t come quickly enough after he lost his job at the grocery store located at 12460 Crabapple Road, police...
Atlanta Mayor says court battle with former fire chief was too costly
Atlanta Mayor says court battle with former fire chief was too costly

A lengthy legal battle stemming from the firing of former Atlanta fire chief Kevin Cochran who penned an inflamatory book that condemned homosexuality has ended with the city agreeing to pay the ousted employee $1.2 million. The case drew national attention and led to a two-and-a-half-year highly publicized legal battle between Cochran, who authored...
94-year-old Atlanta woman allegedly punched repeatedly in ‘brutal assault’
94-year-old Atlanta woman allegedly punched repeatedly in ‘brutal assault’

An Atlanta man is in jail on allegations he attacked a 94-year-old woman in her East Lake home, according to police records. Reginald Pass was charged with aggravated battery and cruelty to a person 65 years of age or older following the alleged Sept. 30 attack. Pass was held on $15,000 bond and has not been released from the DeKalb County Jail...
Mayor Bottoms names Atlanta’s first chief housing officer
Mayor Bottoms names Atlanta’s first chief housing officer

Atlanta Mayor Keisha Lance Bottoms on Tuesday announced the appointment of the city’s first chief housing officer, a new cabinet position tasked with helping the mayor fulfill one of her most ambitious campaign pledges. Terri Lee, a well-respected senior city executive and current deputy commissioner in the city’s Department of Planning...
More Stories