Georgia voters to get credit monitoring in massive data breach


According to the Privacy Rights Clearinghouse, if you learn of a breach involving your driver's license information, contact the agency (in this case the state Department of Driver's Services) and ask it for recommendations. The website for DDS contacts is here: www.dds.ga.gov/aboutus/contactus.aspx#_.

For breaches involving Social Security numbers, the Privacy Rights Clearinghouse recommends putting a fraud alert on your credit report. If you contact any one of the bureaus, they will contact the other three.

Equifax: 888-766-0008

Experian: 888-397-3742

TransUnion: 800-680-7289

Also, request copies of your credit report to review for suspicious activity.

For more information, visit www.identitytheft.gov/ or www.privacyrights.org/how-to-deal-security-breach.

What happened: The Georgia Secretary of State's Office in October errantly distributed compact discs containing personal data for the state's 6 million some registered voters, including their Social Security numbers and birth dates, to 12 organizations that purchase "voter lists" every month. Secretary of State Brian Kemp says the discs have been recovered or destroyed.

What's next: Kemp plans to offer a year of free credit monitoring and identity theft restoration services for the state's registered voters.

Timeline of personal data release

Oct. 13 — The Georgia Secretary of State’s Office distributes compact discs containing personal data for the state’s 6 million some registered voters, including their Social Security numbers and birth dates, to 12 organizations that purchase “voter lists” every month.

Nov. 13 — Secretary of State Brian Kemp says he learned about the breach on this day.

Nov. 17 — Two women file a class-action lawsuit in Fulton County Superior Court alleging a massive data breach in the Secretary of State’s Office.

Nov. 18 — Kemp acknowledges that his office illegally disclosed the data. The data went to 12 organizations that regularly subscribe to “voter lists” maintained by the stat.

Nov. 19 — Kemp announces that an IT employee has been fired and that all 12 discs have been recovered or destroyed. He issues a formal public notice of the disclosure — including a hotline number within his office for concerned residents, 404-654-6045 — but offers no promise of credit monitoring. He also sends a separate letter to legislators saying that the Georgia Voter Registration System was never breached. “The system has been and remains secure, ” he says.

Nov. 20 — Kemp announces plans to hire a top auditing agency to review his technology department in the wake of the breach. He also acknowledges that a “similar but more limited” incident occurred in October 2012.

Nov. 30 — The League of Women Voters of Georgia requests that Gov. Nathan Deal order an independent investigation into the breach.

Dec. 2 — A former IT employee for the Secretary of State’s Office, who says he was the person Kemp fired and blamed for the breach, said the agency is not being honest about what has happened. He also outlines a more complicated series of missteps and miscommunication that led to the exposure of the data. Kemp responds that the employee “violated six different internal policies resulting in the release of data.”

Dec. 3 — Kemp announces plans to offer free credit monitoring and identity theft restoration services for the 6.2 million registered voters affected by the breach.

What happened: The Georgia Secretary of State's Office in October errantly distributed compact discs containing personal data for the state's 6 million some registered voters, including their Social Security numbers and birth dates, to 12 organizations that purchase "voter lists" every month. Secretary of State Brian Kemp says the discs have been recovered or destroyed.

What's next: Kemp plans to offer a year of free credit monitoring and identity theft restoration services for the state's registered voters.

Timeline of personal data release

Oct. 13 — The Georgia Secretary of State’s Office distributes compact discs containing personal data for the state’s 6 million some registered voters, including their Social Security numbers and birth dates, to 12 organizations that purchase “voter lists” every month.

Nov. 13 — Secretary of State Brian Kemp says he learned about the breach on this day.

Nov. 17 — Two women file a class-action lawsuit in Fulton County Superior Court alleging a massive data breach in the Secretary of State’s Office.

Nov. 18 — Kemp acknowledges that his office illegally disclosed the data. The data went to 12 organizations that regularly subscribe to “voter lists” maintained by the stat.

Nov. 19 — Kemp announces that an IT employee has been fired and that all 12 discs have been recovered or destroyed. He issues a formal public notice of the disclosure — including a hotline number within his office for concerned residents, 404-654-6045 — but offers no promise of credit monitoring. He also sends a separate letter to legislators saying that the Georgia Voter Registration System was never breached. “The system has been and remains secure, ” he says.

Nov. 20 — Kemp announces plans to hire a top auditing agency to review his technology department in the wake of the breach. He also acknowledges that a “similar but more limited” incident occurred in October 2012.

Nov. 30 — The League of Women Voters of Georgia requests that Gov. Nathan Deal order an independent investigation into the breach.

Dec. 2 — A former IT employee for the Secretary of State’s Office, who says he was the person Kemp fired and blamed for the breach, said the agency is not being honest about what has happened. He also outlines a more complicated series of missteps and miscommunication that led to the exposure of the data. Kemp responds that the employee “violated six different internal policies resulting in the release of data.”

Dec. 3 — Kemp announces plans to offer free credit monitoring and identity theft restoration services for the 6.2 million registered voters affected by the breach.

Georgia Secretary of State Brian Kemp announced plans Thursday to offer 6.2 million registered voters a year of free credit and identity theft monitoring services.

The announcement came more than two weeks after a massive data breach at the agency exposed those voters' personal information, including Social Security numbers and birth dates. An agency spokesman said the move is expected to cost $1.2 million, paid by the agency through reserve funds.

Kemp said he has contracted with Austin, Texas-based CSID for services that will be available within 10 to 14 business days. Additionally, he said all Georgia voters in the breach whose identity is compromised will be eligible for identity theft restoration services if their identity is compromised over the next year.

“I am confident that all personal information is safe and secure. However, I believe Georgia voters deserve peace of mind regarding this incident,” Kemp said in a statement. “We are continuing our internal investigation and have hired Deloitte to conduct an independent audit of all of our IT operations. Georgians have my word this will not happen again.”

It is not clear whether the state may face additional costs, or whether confidence that the exposed data was relatively contained helped keep costs down.

In 2012, a massive data breach reported by South Carolina exposed 3.8 million Social Security numbers, and officials blamed hackers who got into the state’s system. South Carolina paid Experian at least $12 million to provide credit monitoring for victims. State lawmakers there also put an additional $25 million into the budget for an extra year of credit protection and to upgrade computer security.

The audit by Deloitte is expected to cost about $400,000. And while many voters and lawmakers had called on Kemp to offer protection such as credit monitoring, the lack of details in Thursday’s announcement left some cold.

"While credit monitoring might be free for Georgians to enroll, it certainly won't be free to the taxpayers," said state Rep. Scott Holcomb, D-Atlanta, who has been a vocal critic of Kemp's handling of the data gaffe.

“On one hand the secretary of state is saying there’s nothing to worry about. On the other, he’s providing credit monitoring. It’s a mixed message, to say the least,” Holcomb said. “Now Secretary Kemp is signing up taxpayers to pay an additional $1.2 million for credit monitoring that he claims is unnecessary. That ain’t very fiscally conservative in my book.”

The personal data released in the breach appear to have been inadvertently sent out last month to 12 organizations that regularly subscribe to “voter lists” maintained by the state. The groups receiving the data — delivered via compact discs — included state political parties, news media organizations and Georgia GunOwner Magazine.

Kemp two weeks ago fired an IT employee over what he dubbed a "clerical error." That worker, longtime state programmer Gary Cooley, has disputed Kemp's version of events and told The Atlanta Journal-Constitution he did not have the security access to add millions of Social Security numbers and birth dates to a public data file.

Cooley instead outlined a more complicated series of missteps and miscommunication, both within the office and with PCC Technology Group, an outside vendor tasked with managing voter data for the state.

Kemp, who says he became aware of the breach Nov. 13, has said all 12 data discs illegally disclosing the private information have either been recovered or destroyed, and that the data were not disseminated. He also denied the disclosure was a breach of the state's voter registration system, saying the system itself was not hacked.

The agency has refused to turn over additional public records documenting aspects of the breach, saying it will release them after it completes an ongoing internal investigation.

On Monday, the League of Women Voters of Georgia formally asked Gov. Nathan Deal to open an independent inquiry into the release — a request Deal declined. Deal, whose office has previously referred all questions to Kemp’s office, for the first time Wednesday addressed the gaffe. He said he’s still confident in Kemp’s leadership. He declined the call for an independent inquiry.

According to the Secretary of State’s Office, direct links to CSID’s website will be listed on www.sos.ga.gov when the free services become available. Voters can also contact the agency at 404-654-6045.