Oct. 6: An employee of the Secretary of State’s Office inadvertently added personal data, including Social Security numbers, to the public statewide voter file.
Oct. 13: The office distributes compact discs containing that information to 12 groups in the media or other third parties.
Oct. 14: The employee, according to a letter Secretary of State Brian Kemp sent to state legislators, “corrected his mistake” by removing the personal information but “never notified anyone of the change, or of the period when personal information was on the file.”
Nov. 13: Kemp’s office finds out that personal data was included on the voter lists that were sent out.
Tuesday: A lawsuit is filed in Fulton County Superior Court accusing Kemp’s office of a data breach that affects some 6 million voters.
Wednesday: Kemp acknowledges that the personal data had been released in error.
Thursday: Kemp announces that the employee has been fired, that all 12 discs have been recovered or disposed of. He issues a formal public notice of the disclosure, including a hotline number within his office for concerned residents but no promise of credit monitoring.
Friday: Kemp revealed a previously undisclosed breach of voter information from 2012 and said he planned to hire auditors Ernst & Young to conduct a review of “our entire operation.”
The admission last week by Georgia Secretary of State Brian Kemp that a "clerical error" resulted in the unintentional release of the private information of more than 6 million Georgia voters sent shock waves throughout the state.
“If a clerical position has the ability to disclose it inadvertently then there is something wrong,” said Joel Shattles Jr., a retiree from Lawrenceville concerned about the breach. “It’s anyone’s guess how it is being used.”
Kemp has said the personal data, which included birth dates, Social Security and driver's license numbers — a gold mine for identity thieves, has been retrieved or accounted for and the employee responsible for releasing the information has been fired. Nine of the 12 news and political organizations that received the data returned it to the Secretary of State; the other three said they threw it away.
But the breach is worrisome for citizens who must disclose mounds of personal information to agencies throughout the state to get driver's licenses, file their taxes or apply for social programs.
Just how safe is our data?
“The answer is one that gets into the nuances of security,” said Mark Reardon, state information security officer for the Georgia Technology Authority. “I would tell you that I feel in my area of the state that that information is pretty secure, but that isn’t going to be reassuring to somebody who is looking for an absolute.”
Indeed, while the Georgia Technology Authority sets the data security standards for much of state government, it has little authority to enforce those standards and no power over the Secretary of State, a constitutional office that sets its own policies.
How data security standards are implemented varies because agencies control their own budgets, Reardon said. He said there would be constitutional and practical problems if he tried to mandate how various departments spent their technology budgets, but he said the state is making progress.
“Agencies do OK (securing their data) if they have the time,” he said.
But it is clear the state is in a constant fight to protect sensitive data from internal mishaps and external threats. Reardon said there are 1 million attacks a day against the state’s primary data center.
The threats range from thrill-seeking hackers to criminal enterprises to foreign state-sponsored attacks, he said. Reardon said these attacks are probing for weaknesses and don’t result in the release of data. State contractors hired to defend Georgians’ information use those attacks to improve defenses in a never-ending battle.
Although Georgia’s erroneous release of data went to a small number of recipients and was not the result of a hacker’s attack, it is among the largest breaches in the nation by a state agency, according to Privacy Rights Clearinghouse.
Organizations that do a good job of protecting sensitive data have leaders and cultures that make it a priority to understand how their systems work, what records might be valuable to malicious actors, and where they need to beef up vulnerable links in their networks and policies, say security experts.
“It’s about culture and it’s about priorities,” said Inga Goddijn, executive vice president of Risk Based Security, a data security consulting firm in Richmond, Va. “It really is a leadership issue.”
The fact that Georgia Secretary of State Brian Kemp called the erroneous release of more than 6 million voters’ records a “clerical error” is not a good sign, she added.
“That’s a big deal. There’s no way of knowing if those discs were shared or copied,” said Goddijn.
Indeed, one of the 12 organizations that received Georgia’s voter data said they “disposed of” but did not destroy the disc containing all the information.
Even though most of the discs were returned, it should be assumed “the data is now free and loose in the world, and I don’t think that should be dismissed as a clerical error,” she said.
Most accidental breaches, she said, involve fewer than 1,000 records — much smaller than the Secretary of State’s release of more than 6 million voters’ personal information. “It’s not common to see such a large data breach coming from mishandling,” she said.
Of 18,329 publicly disclosed data breaches Risk Based Security has tracked since 2005, “accidental insider error” accounted for 2,476 and almost 174 million lost records, said Goddijn.
This kind of unintentional release is the most common kind of data breach at a state agency, said Roger Boyd, director of the Technology Risk and Assurance Group in the State Auditor’s office.
“It could be a lack of business processes, it could be someone getting careless, it could be not having the proper safeguards on the back end,” he said. To prevent these kinds of mishaps, Boyd said agency heads have to “sit down and think about all the ways that data gets out the door.”
Boyd said accidents are bound to happen, so the critical piece of data security is to plan for how to respond while still preserving an agency’s ability to function.
“It’s not if something is going to happen, it’s when something happens what is your response going to be?” he said.
Delayed response to breach
It is in his response to the breach that Kemp has opened himself to the greatest criticism. According to a letter Kemp sent to legislators, he knew about the breach for six days before a story in The Atlanta Journal-Constitution forced him to publicly acknowledge the problem.
Although smaller in scope, breaches at other agencies were disclosed far more quickly.
Two years ago when a Labor Department employee mistakenly emailed out the names, Social Security numbers and other private data of 4,457 people who had registered at a Cobb County career center to about 1,000 people in suburban Atlanta, the department sent out a follow up email about five minutes later urging the recipients to delete the file and offered credit monitoring to the affected people.
This July, the Department of Human Services unintentionally emailed health information for about 3,000 clients of the Aging Services Division to a private provider. Human Services Commissioner Robyn Crittenden said the breach was limited and resolved “almost immediately” and she said additional safeguards have been implemented to stop it from happening again.
On Friday, Kemp acknowledged an earlier breach of voter information from 2012 that his office had never disclosed. Kemp said the breach was more limited in scope and that the improperly released information was recovered.
Kemp also said he planned to hire the accounting firm of Ernst & Young to conduct a “thorough, top to bottom review of our entire operation.”
While unintentional release of private information is the most common breach of state data, Reardon said it is the least severe. Usually the data is sent to a limited audience with no intent to harm, he said. Intentional breaches are a different story, he said.
“When you are dealing with a hacker, you normally are dealing with not just large numbers of records, but you are dealing with bad intent,” he said.
In 2012, South Carolina discovered that a hacker had gained access to unscrambled data on tax returns from its Department of Revenue, affecting 6.4 million people and businesses. The state has spent roughly $50 million so far providing credit monitoring to victims.
Meanwhile, personal information is at risk for as many as 21.5 million federal employees, retirees, former employees and job applicants as the result of suspected Chinese hackers’ attack on the federal Office of Personnel Management that was discovered in April. The investigation revealed that hackers had access to up to 35 years of employee files.
Even the Georgia Governor’s Mansion has not been immune. In September, the Georgia Technology Authority investigated a “phishing” attack after a volunteer accidentally infected the Wi-Fi network at Gov. Nathan Deal’s official residence.
Drivers’ data scanned and warehoused
In Georgia, citizens are expected to turn over more information than ever to a variety of government offices. If you haven’t renewed your driver’s license in years, you may be surprised by the number and breadth of documents that you may be required to bring to the Georgia Department of Driver Services (GDDS).
To meet federal identification requirements enacted in the wake of the Sept. 11, 2001, terrorist attacks, Georgia’s licensing bureau now requires most people to produce at least four identifying documents, and more if they are not U.S. citizens or have had name changes due to marriage, divorce or adoption.
The list of roughly 80 documents that license applicants can choose from is a veritable treasure trove for would-be identity thieves: Social Security cards, passports, current driver’s licenses, birth certificates, federal and state tax returns, bank statements, health care bills, Medicare cards, utility bills and marriage licenses.
Emerging from a GDDS office near Turner Field after getting a replacement license, Atlanta resident Thomas Blake said he has “some level of concern” about how the state handles his information. But he said he has to trust the state because there is no other option.
“It’s hard to feel safe, period,” he said. “But it’s something you have to go through, regardless. You aren’t going to get around it.”
GDDS spokeswoman Susan Sports said her agency does not discuss the specifics of how driver’s license information is protected so as not to aid would-be hackers, but she said safeguards were developed with the Georgia Technology Authority.
“If there had been a breach, there would have to be a public notice, and I’ll leave it at that,” she said.
That may be scant comfort to the more than 4 million Georgians who have renewed licenses and brought reams of personal documents to their local GDDS office.
Since 2012, the GDDS has been scanning drivers’ documents into electronic record files and storing them at the state’s North Atlanta Data Center, Sports said.
So far, the agency has collected scanned documents on almost 4.4 million applicants, out of nearly 7.2 million drivers with Georgia licenses. GDDS is the only agency with access to the data, she said.
The scans of drivers’ documents and ID information aren’t sent to the federal Department of Homeland Security, she said, but some information is shared with other federal and state government units when authorized by drivers or “required by law.”
For instance, most states, including Georgia, forward info weekly on males 18 to 26 years old to register them with the federal Selective Service Administration as potential military draftees. Info on people who volunteer to be organ donors also go weekly to another national registry.
And, each day, the GDDS forwards info to the Georgia Secretary of State on license applicants who say they want to register to vote.
Lawmakers are concerned about the security of data on state servers as well. Earlier this year, State Sen. Brandon Beach, R-Alpharetta, introduced a resolution to create a committee to study “the adequacy of existing resources and policies to protect the personal information of citizens stored on government networks.” The resolution has passed the Senate Science and Technology Committee and awaits action in the full Senate when the Legislature returns in January.
Rep. Ed Setzler, R-Acworth, chairman of the House Science and Technology Committee, said lawmakers have been studying cyber-security the past few years and will be getting a briefing from FBI experts on the topic.
“It seems like at Department of Revenue, where there is a lot of sensitive information, we are doing about everything we can do,” Setzler said. “The other agencies may not be quite there yet.”
About the Author
