Millions of Georgia voters may have had their personal information compromised for the second time in as many years, as the Federal Bureau of Investigation opened an investigation Friday at Kennesaw State University's Center for Election Systems involving an alleged data breach.
As many as 7.5 million voter records may be involved, according to a top state official briefed on the information but not authorized to speak on the record. Neither federal officials nor university officials would confirm the scope of the investigation or how many records had potentially been accessed.
State officials found out about the breach Thursday evening, after being notified by the university. The governor’s office said it asked the Georgia Bureau of Investigation to contact the FBI after learning about the scope of the problem.
“After learning of this incident at Kennesaw State University, we reached out to law enforcement,” Georgia Secretary of State Brian Kemp said. “This matter is deeply concerning, but I am confident the FBI working with KSU will track down the perpetrator.”
The university in a statement released Friday afternoon said it was “working with federal law enforcement officials to determine whether and to what extent a data breach may have occurred involving records maintained by the Center for Election Systems.”
“Because this involves a pending criminal investigation, Kennesaw State will have no further comment on this matter and any inquiries should be addressed to the U.S. Attorney’s Office,” the statement said.
The FBI had no immediate comment. A spokesman for the U.S. Attorney’s Office also declined to comment because the investigation is ongoing.
The Georgia Secretary of State’s Office said Friday that the investigation is not related to its own network and is not a breach of its own, separate database containing the personal information of 6.6 million voters currently registered in Georgia. The office referred all other questions to both university and federal officials.
In 2015, the Secretary of State’s Office inadvertently disclosed the Social Security numbers and other private information of more than 6 million registered voters. That data went to 12 organizations, including media outlets and political parties, who regularly subscribe to “voter lists” maintained by the state, although the office later said all 12 discs containing the data were either recovered or destroyed.
The election systems center at the university has since 2002 overseen the state’s election operations and voting machines. It does that work through an agreement with the Secretary of State’s Office. It does not, however, maintain live databases or the state’s official voter registration database.
The collaboration with the center is one of the most unusual election partnerships in the nation. Merle King, the center's executive director, is respected nationally for his deep knowledge of election systems. The center has only one client — the state – and only a handful of staff and student assistants, yet it has a hand in almost every operation that touches Election Day.
It creates every ballot for every election and tests every single piece of voting equipment used across the state, among other things.
The center also sources every single device known as an electronic poll book (a digital list of eligible voters) used by poll workers in each of the state’s 3,000 precincts to verify voters’ names, addresses and registration.
It pulls those names from the Secretary of State’s Office’s database, although the list at the center is itself not live on the internet. It is instead housed on a closed, internal system at the center. The voting transaction logs kept on those electronic poll books are also not directly housed on the internet but rather on the center’s servers.
That is by design. While anything is possible, the system has different layers of security and controls built into it to limit and detect unauthorized access.
If a breach occurred involving voter records, it would likely have to do with the logs used to create the electronic poll books. It also would likely have come through the university’s own information technology system, given the statement from the Secretary of State’s Office that its network and systems were not involved.
The university’s IT system would have provided the most likely gateway into the center’s servers and into the logs used by the center to build the poll books.
It is unclear, however, exactly how it happened, exactly what information was taken or whether the breach was malicious.
Tony Uceda Velez, the CEO of the Atlanta-based data security company VerSprite, is not involved in the probe but said he would expect federal investigators to cast a wide net in piecing together what happened.
“They’re going to comb through network logs, going to look at server logs, they’re going to look at application logs and they’re basically going to try to piecemeal a time of when the attack happened and what types of activities happened on the network and on those different sources,” Uceda Velez said.
“I know a lot of people at the university and there are a lot of good people there,” he said, “and I’m sure they’re doing the necessary steps around forensic analysis and incident response.”
