Georgia: ‘Clerical error’ in data breach involving 6 million voters


Notable state data breaches

Georgia's data breach was one of the larger ones for a U.S. state. However the methods of how personal data has been accessed and revealed can vary. Here are some other notable breaches.

April 2009 - Hackers broke into a Virginia web site used by pharmacists to track prescription drug abuse and accessed records for about 8.3 million patients.

April 2011 - Texas accidentally released 3.5 million social security numbers on a publicly accessible state computer server.

March 2012 -  Private records for more than 800,000 people in California Department of Child Support Services were lost in transit.

April 2012 - Texas Attorney General accidentally released about 6.5 million social security numbers to lawyers challenging a voter ID case. Officials said the information was on encrypted disks and was not publicly released.

September 2012 - Hackers stole electronically filed tax returns for 3.8 million consumers and 657,000 businesses from the South Carolina Department of Revenue.

January 2013 - Information for more than 100,000 Florida Department of Juvenile Justice employees and youth offenders was at risk after mobile device  storing that information was taken from a facility.

February 2013 - The Washington State court system said up to 160,000 social security numbers and 1 million driver license numbers may have potentially been accessed.

November 2013 - Hackers breached Social Security numbers and banking information of more than 2 million students, staff and vendors from the Maricopa County (Arizona) Community College District.

October 2014 - The Oregon Employment Department found Social Security numbers of more than 850,000 people who were searching for jobs were compromised.

Two Georgia women have filed a class action lawsuit alleging a massive data breach by Secretary of State Brian Kemp involving the Social Security numbers and other private information of more than six million voters statewide.

The suit, filed Tuesday in Fulton County Superior Court, alleges Kemp’s office released the information including personal identifying information to the media, political parties and other paying subscribers who legally buy voter information from the state.

In response, Kemp’s office blamed a “clerical error” and said Wednesday afternoon that they did not consider it to be a breach of its system. It said 12 organizations, including statewide political parties, news media organizations and Georgia GunOwner Magazine, received the file.

“Our office shares voter registration data every month with news media and political parties that have requested it as required by Georgia law,” Kemp said in a statement. “Due to a clerical error where information was put in the wrong file, 12 recipients received a disc that contained personal identifying information that should not have been included. This violated the policies that I put in place to protect voters personal information.

“My office undertook immediate corrective action, including contacting each recipient to retrieve the disc, and I have taken additional administrative action within the agency to deal with the error,” Kemp said.

The suit alleges the unauthorized information released in October in the voter lists also involved dates of birth and drivers’ license numbers. The Atlanta Journal-Constitution independently confirmed the inclusion of the personal data in the October file. The AJC did so by accessing the October data disc, looking up information for an AJC staffer and confirming his Social Security number and driver’s license information was included.

The AJC has returned its copy of the disc to the state.

It is unclear how the private information came to be included in the file, and whether it was an internal error or the fault of an outsider contractor.

“Kemp has not notified a single Georgia citizen that his or her information may have been compromised,” the suit said. “Nor has he notified any consumer reporting agencies about the breach that could compromise ‘the security, confidentiality, or integrity of personal information’ of each Georgia voter as required under Georgia law,” it said.

Third parties can legally buy the voter lists from the state, but the lists are only supposed to include a voter’s name, residential or mailing address, race, gender, registration date and last voting date.

The alleged breach, which the suit says happened internally because of lax controls in Kemp’s office, would be one of the largest ever by a state.

In 2012, a massive data breach reported by South Carolina officials exposed 3.8 million Social Security numbers of the state's residents. At the time, Georgia officials said the state used data encryption and other controls not in place when hackers breached South Carolina's Department of Revenue.