- Kristina Torres The Atlanta Journal-Constitution
Two Georgia women have filed a class action lawsuit alleging a massive data breach by Secretary of State Brian Kemp involving the Social Security numbers and other private information of more than six million voters statewide.
The suit, filed Tuesday in Fulton County Superior Court, alleges Kemp’s office released the information including personal identifying information to the media, political parties and other paying subscribers who legally buy voter information from the state.
In response, Kemp’s office blamed a “clerical error” and said Wednesday afternoon that they did not consider it to be a breach of its system. It said 12 organizations, including statewide political parties, news media organizations and Georgia GunOwner Magazine, received the file.
“Our office shares voter registration data every month with news media and political parties that have requested it as required by Georgia law,” Kemp said in a statement. “Due to a clerical error where information was put in the wrong file, 12 recipients received a disc that contained personal identifying information that should not have been included. This violated the policies that I put in place to protect voters personal information.
“My office undertook immediate corrective action, including contacting each recipient to retrieve the disc, and I have taken additional administrative action within the agency to deal with the error,” Kemp said.
The suit alleges the unauthorized information released in October in the voter lists also involved dates of birth and drivers’ license numbers. The Atlanta Journal-Constitution independently confirmed the inclusion of the personal data in the October file. The AJC did so by accessing the October data disc, looking up information for an AJC staffer and confirming his Social Security number and driver’s license information was included.
The AJC has returned its copy of the disc to the state.
It is unclear how the private information came to be included in the file, and whether it was an internal error or the fault of an outsider contractor.
“Kemp has not notified a single Georgia citizen that his or her information may have been compromised,” the suit said. “Nor has he notified any consumer reporting agencies about the breach that could compromise ‘the security, confidentiality, or integrity of personal information’ of each Georgia voter as required under Georgia law,” it said.
Third parties can legally buy the voter lists from the state, but the lists are only supposed to include a voter’s name, residential or mailing address, race, gender, registration date and last voting date.
The alleged breach, which the suit says happened internally because of lax controls in Kemp’s office, would be one of the largest ever by a state.
In 2012, a massive data breach reported by South Carolina officials exposed 3.8 million Social Security numbers of the state’s residents. At the time, Georgia officials said the state used data encryption and other controls not in place when hackers breached South Carolina’s Department of Revenue.