Feds: ‘Security researcher’ behind KSU data breach broke no federal law

Federal investigators say a "security researcher" was behind a data breach at Kennesaw State University's Center for Election Systems, and his probing of the system broke no federal law.

University officials announced the finding Friday after being briefed by investigators from the Federal Bureau of Investigation, ending a monthlong probe over a potential hacking case that had raised alarms over the security of the state’s election system.

In a statement, university officials acknowledged what they called “unauthorized access” to a server used by the center, which helps the state prepare elections information and has access to millions of Georgia voter records. No student data were involved in the case.

They said the incident has prompted a review of the university’s digital security efforts.

“We are working with experts within the University System of Georgia and a nationally renowned outside firm to validate that KSU’s systems are secured and meet best-practice standards,” KSU President Sam Olens said in the statement. “We greatly appreciate the speed and dedication of the FBI and the U.S. Attorney’s Office in helping us resolve this issue.”

No charges have been announced and officials did not name the researcher, who is believed to have contacted the center at least twice — including once before last year's presidential election — to notify it about the server's vulnerabilities and apparently draw attention to them.

The Atlanta Journal-Constitution has reported previously that state officials believed the researcher never penetrated the center’s core systems, which represent the heart of its work.

Those core systems are "air-gapped," meaning they are not connected to the internet and are not connected to the KSU server involved in the investigation. The center uses the systems to help the state build and duplicate the digital lists of eligible voters used by poll workers in each of the state's 3,000 precincts to verify voters' names, addresses and registration.

A spokeswoman for Georgia Secretary of State Brian Kemp, the state’s top election official, said the office is pleased with how federal officials conducted the investigation, which was done as the state prepares for a nationally watched special election April 18 to replace former U.S. Rep. Tom Price.

“We are pleased to learn that FBI officials have completed the investigation at KSU, and we appreciate their dedication in resolving this case,” Kemp spokeswoman Candice Broce said.

The state’s voter registration database and other election systems run by the office were not involved in the inquiry, and there is no evidence they have been hacked. Officials have said that the private company used by the office to protect those systems has been on “heightened alert” since the breach.

The state is also planning to continue using its usual supply of poll books as well as “direct-recording electronic” voting machines, or DREs, known by voters for their touch screens.

The state committed to the machines in 2002 when it last overhauled its elections.

At the same time, it also eliminated a paper trail of recorded votes, something a group of computer scientists and security experts said earlier this month that the state should reconsider in light of concerns over the hack.