Exclusive: Fired Kemp worker says he’s a scapegoat in data breach

Staff writer Greg Bluestein contributed to this article.

The employee fired after being blamed for a massive data breach at the Georgia Secretary of State’s Office said Wednesday that the agency isn’t being honest about what happened. Now, he wants to set the story straight

In an exclusive interview with The Atlanta Journal-Constitution, longtime state programmer Gary Cooley said he did not have the security access to add millions of Social Security numbers and birth dates to a public data file — something Secretary of State Brian Kemp accused him of doing.

He acknowledged that he should have been more cautious in the chain of events leading up to the breach. But Cooley also outlined a more complicated series of missteps and miscommunication, both within the office and with PCC Technology Group, an outside vendor tasked with managing voter data for the state.

When asked whether he has been made a scapegoat by the state agency, an emotional Cooley paused, then said, “It seems like the pure definition of the word, what happened to me.”

“I just want to clear my name and get the story correct,” Cooley said. “Today, I told the absolute truth.”

Kemp's office has refused to release Cooley's personnel file because of what it said is an ongoing internal investigation. The secretary of state has also previously announced an overhaul in security safeguards as well as an audit of his IT department to prevent this from happening again.

“This employee violated six different internal policies resulting in the release of data,” Kemp said in a statement Wednesday. “He was the only employee that knew of the violation and chose to cover up his mistakes. As soon as I was informed of the error, I took immediate action to recover the data, and I fired this employee.

“As I have said from the beginning, I take full responsibility for this situation. We are continuing a thorough internal investigation and have hired Deloitte to conduct a thorough review of our IT Division and all its protocols and procedures. All of the information about this employee’s actions and our successful efforts to correct them will be made public when our investigation is done, in full compliance with Georgia’s open records laws.”

“I can assure Georgia’s voters that their personal information is secure and that this will never happen again.”

Revenue Department sought data

Cooley said the story began in late summer when the Secretary of State’s Office received a request from the Georgia Department of Revenue. The state agency, he said, wanted regular voter files plus something not given out to the public: voters’ Social Security numbers, birth dates and driver’s license numbers.

Once his agency’s lawyers OK’d the request, Cooley said he reached out Oct. 3 to his contact at PCC and requested the company create a separate data file. The new file, he told them in an email, should include the same layout as the state’s regular statewide voter file. But, he said, it needed an addition of the three new data fields with the sensitive information.

The vendor apparently misunderstood the email, Cooley said. A spokesman for the Connecticut-based company declined to comment.

When Cooley emailed his PCC contact on Oct. 13 to ask about the project’s status, he said he was told it had been completed the day he’d made the request. The sensitive information had been added to the state’s existing statewide voter file. Cooley said he immediately contacted PCC to have the sensitive data removed, running a test to confirm it had been deleted. Cooley said he also checked the office’s network to see whether anyone had pulled the file. He said he found no obvious signs it had.

“I thought, ‘we got lucky, no harm done,’ ” he said. He also said he could not have accessed the file to make changes even if he wanted to, since the information is secured through a locked-down program.

What he did not know, he said, was that another employee in the Secretary of State’s Office had already grabbed the file and burned it onto compact discs. It was a routine action, since those discs are emailed monthly to groups including the AJC that regularly subscribe to “voter lists” maintained by the state. In all, 12 organizations received those discs, including state political parties, news media organizations and Georgia GunOwner Magazine.

However, Cooley — who said he has worked either as a contractor or full-time employee for the state since 1995 — said the office’s security protocol had already been broken. The other employee appears to have put the file directly onto his computer hard drive instead of onto the office’s network, which Cooley said would explain why there was no electronic trace when he looked for it on Oct. 13.

Additionally, the employee was supposed to eyeball the data to confirm it looked right. Cooley said his boss, right before he fired Cooley, indicated the employee said he had not done that because he felt the file was too big.

‘The thing I regret’

“I admit I’m kicking myself for not walking over” and asking the employee whether he had pulled any files recently, Cooley said. “That’s the thing I regret.”

Cooley said he respected the work done by PCC and that what happened was “an honest mistake, and we did the best we could do to correct it.”

ExploreNeither Kemp nor his office has ever identified Cooley as the employee fired over the data breach, which affected 6.2 million registered voters in Georgia.

According to a narrative Kemp presented two weeks ago, the fired employee inadvertently added the personal data, including Social Security numbers and birth dates, to the public statewide voter file on Oct. 6. The office then downloaded the file to discs and distributed those discs to 12 organizations requesting the information on Oct. 13.

On Oct. 14, Kemp has said the employee “corrected his mistake and removed the personal information. The employee never notified anyone of the change, or of the period when personal information was on the file.”

Kemp, who says he became aware of the breach Nov. 13, has said all 12 data discs illegally disclosing the private information have either been recovered or destroyed, and that the data were not disseminated. The state issued a public notice about the breach after the AJC wrote about a class-action lawsuit alleging a massive data breach within the office.

On Monday, the League of Women Voters of Georgia formally asked Gov. Nathan Deal to open an independent inquiry into the release. Deal, whose office has previously referred all questions to Kemp's office, for the first time Wednesday addressed the gaffe. He said he's still confident in Kemp's leadership. He declined the call for an independent inquiry.

“My situation is the same as other Georgians,” Deal said. “Any time your personal information is compromised, that is a matter for concern. The real question that is at issue now is has it in fact be compromised. And that is what his further investigation will reveal.”

He added: “I think what you’ll hear from the secretary of state is that he’s taking every precaution to keep information safe.”