Georgia Secretary of State Brian Kemp acknowledged Wednesday that his office last month illegally disclosed the Social Security numbers and other private information of more than 6 million registered voters.
Kemp said the data went to 12 organizations who regularly subscribe to “voter lists” maintained by the state, and he was adamant that the “clerical error” did not compromise Georgia’s voter registration system. But the problem didn’t become public until two voters filed a class-action lawsuit alleging a massive data breach.
“It’s very, very scary,” said attorney Jennifer Jordan, who is representing Elise Piper and Yvette Sanders in the suit, which was filed Tuesday afternoon in Fulton County Superior Court. “My information was compromised, and I was kind of dumbfounded.”
Anyone registered to vote in Georgia is affected by the disclosure — some 6.2 million people.
It is not clear whether Georgia officials will seek consumer protections such as credit monitoring for the voters, a decision that could cost the state tens of millions of dollars. Attorney General Sam Olens — whose office oversees the Governor’s Office of Consumer Protection — declined to comment, citing the pending litigation.
Kemp’s office sent what it called “personal identifying information” to 12 organizations, including state political parties, news media organizations and Georgia GunOwner Magazine. The information was sent to the organizations Oct. 13, but officials may not have realized they goofed until 35 days later when they were served with the lawsuit.
That’s when several organizations, including The Atlanta Journal-Constitution, were contacted by investigators from Kemp’s office and asked to return the data discs containing the information. While the AJC and others — including the Georgia GOP and the Democratic Party of Georgia — have since complied with the request, at least one organization — the Libertarian Party — had not as of Wednesday afternoon.
“I am out at my daughter’s shooting competition,” the Libertarian Party’s Doug Craig said in a text when asked whether he would return the disc. “Going to tomorrow … maybe.”
Kemp, however, sought to show his office had gotten control of the situation.
“Our office shares voter registration data every month with news media and political parties that have requested it as required by Georgia law,” Kemp said in a statement. “Due to a clerical error where information was put in the wrong file, 12 recipients received a disc that contained personal identifying information that should not have been included. This violated the policies that I put in place to protect voters’ personal information.
“My office undertook immediate corrective action, including contacting each recipient to retrieve the disc, and I have taken additional administrative action within the agency to deal with the error,” Kemp said.
Kemp didn’t say what he meant by having “taken additional administrative action.” Kemp’s spokesman refused to clarify his comment and wouldn’t say whether anyone was fired for the error.
Experts say the breach could cause big problems.
“What a mess,” said David Vladeck, the former head of the Federal Trade Commission’s Bureau of Consumer Protection, now a professor at Georgetown University’s law school.
“This is a very serious breach involving a huge number of Georgia residents,” Vladeck said in an email. “The types of information released — especially SSNs and driver license records (which generally have addresses, dates of birth, pictures and other uniquely identifying information) — are very, very valuable to identity thieves.”
“At a minimum,” he added, “the state is going to have to take a number of steps to protect the residents affected by the breach, such as paying for credit monitoring.”
Individuals and organizations may legally buy voter lists from the state.
The suit alleges that the unauthorized information released in October in the voter lists involved Social Security numbers, dates of birth and driver’s license numbers. The AJC independently confirmed the inclusion of that data in the October file. The AJC did so by accessing the October data disc, looking up information for one of its staffers and confirming that his Social Security number and driver’s license information were included.
Georgia’s identity theft law, enacted in 2005, requires businesses and state and local government agencies and information brokers to notify affected consumers by telephone, email, written notice or other methods “in the most expedient time possible” after a data breach is discovered.
If more than 10,000 people are affected, the law also requires credit reporting agencies to be quickly notified. For breaches affecting more than 100,000 people, the law requires the business or government agency to send an email alert, post a “conspicuous” notice on its website and notify “major state-wide media.”
The state gave no indication that it plans to notify those whose records were exposed.
While third parties can legally buy the voter lists from the state, the lists are only supposed to include a voter’s name, residential or mailing address, race, gender, registration date and last voting date.
The breach, which the suit says happened internally because of lax controls in Kemp’s office, would be one of the largest ever by a state.
In 2012, a massive data breach reported by South Carolina officials exposed 3.8 million Social Security numbers. At the time, Georgia officials said the state used data encryption and other controls not in place when hackers breached South Carolina’s Department of Revenue.
South Carolina paid Experian $12 million to provide credit monitoring for victims. State lawmakers there also put an additional $25 million into budget for an extra year of credit protection and to upgrade computer security.
Support real journalism. Support local journalism. Subscribe to The Atlanta Journal-Constitution today. See offers.
Your subscription to the Atlanta Journal-Constitution funds in-depth reporting and investigations that keep you informed. Thank you for supporting real journalism.
Staff writers Greg Bluestein, Aaron Gould Sheinin and Russell Grantham contributed to this article.