Accidental release of millions of Georgia voters' private info leads to suit against state
Image from Shutterstock.
The Georgia Secretary of State’s office accidentally sent protected personal information for its states’ registered voters on computer disks to third parties last month, along with the public voter-registration records for which those organizations had paid.
A Fulton County lawsuit filed Tuesday by two women says the personal information for more than 6 million people may have been breached, reports the Atlanta Journal-Constitution. Dates of birth, driver’s license numbers and Social Security numbers were included on the disks, the suit says. The Journal-Constitution, which was one of the media outlets which receives these disks each month, verified that the driver’s license info and Social Security number of one of their staffers was included in the data. However, it is not clear from news coverage that all of this information was provided for each individual listed on the computer disks.
Secretary of State Brian Kemp said in a Wednesday letter (PDF) he is confident all of the personal information has been corralled.
The disks, which went to at least dozen groups, including news media organizations and statewide political parties, have been returned and his office has been assured the information was not disseminated further, Kemp explained. Every month Kemp’s office sends out these disks with the names, addresses and demographic information of registered voters, but October’s disks had much more detailed information. Kemp blamed the mistaken inclusion of the data on “a clerical error in the IT Division,” and said measures have been taken to prevent such an error from occurring again.
“To reiterate, the Georgia voter registration system was not breached,” he writes. “The system has been and remains secure, and I am confident no voter’s personal information has been compromised.”
A copy of his letter is provided by WSAV.
“Sadly, I’m sure that the SOS Elections Office thinks that getting the physical disks back amounts to some sort of meaningful control of the data,” wrote Clayton Wagar, publisher of the Peach Pundit. “Unfortunately, just like the poor teenage girl who is convinced by her admirer to send indiscreet photos of herself, they will learn otherwise. Data has a life of its own, and the automated replication of data is unavoidable. Once it exists, it exists–forever.”
Wagar said that he was contacted by an investigator to retrieve the October disk, but had already discarded the physical disk after downloading the information to his computer. He wrote that he had not closely examined the data, and did not know until he was contacted that it contained the additional information. He reports that he turned over the November disk to the investigator just to be safe, and that he has erased the October data from his computer using industry standard practices.
“It’s accurate for [Kemp] to say that the Georgia Voter Registration System was not breached,” Wagar wrote in a followup blog post to Kemp’s statement. “But that’s not the full story. When we talk about a data breach, we’re talking about the security and confidentiality of the data, not of any particular technology or process in place to protect it. Both the security and confidentiality of the personal information has in fact been breached–including my own, and that of my family and friends.”
Wagar also cast doubt on the list Kemp provided to the Journal-Constitution of organizations which received the disks, pointing out that his publication was not mentioned by name in the list.
The plaintiffs are asking for a court order requiring the state to give notice to those affected and take measures to safeguard their information, as well as attorney’s fees and costs.
Updated at 4:17 p.m. to include additional information.