Georgia Data Release Prompts Audit

After the accidental release of 6 million voters' information, the employee responsible has been fired and an auditing agency will review the department.

by Kristina Torres, The Atlanta Journal-Constitution / November 23, 2015

(TNS) -- Georgia Secretary of State Brian Kemp plans to hire top auditing agency Ernst & Young to review his technology department in the wake of a data breach that exposed private information of more than 6 million voters.

In a statement sent out after 6 p.m. Friday, Kemp also acknowledged a “similar but more limited” incident occurred in October 2012. According to emails obtained by The Atlanta Journal-Constitution through an open records request about that incident, 12 voter registration lists containing sensitive personal data were sent out to people in 15 counties. But Kemp’s statement said “all of the information was recovered at the time.”

News of the most recent incident became widely known Wednesday, when the AJC wrote about a class-action lawsuit alleging a massive data breach in the Secretary of State’s Office.

Kemp has fired an IT employee over what he called a “clerical error.” According to Kemp, the employee inadvertently added the personal data including Social Security numbers and birth dates to a public statewide voter file before it was sent out last month to 12 organizations who regularly subscribe to “voter lists” maintained by the state.

The groups receiving the data — delivered via compact discs — included state political parties, news media organizations and Georgia GunOwner Magazine.

The office later admitted it had known about the breach since Nov. 13 — a month after the discs were mailed out. It did not say anything publicly about it until after the story was published online Wednesday. On Thursday, it formally posted on its website an official notice of the breach as required by state law.

The notice gave fraud prevention advice and a hotline number within the Secretary of State’s Office for concerned residents to call — but no promise of credit monitoring.

Kemp has denied the disclosure was a breach of the state’s voter registration system.

“To be clear, the voter registration system was not hacked,” Kemp said Friday. “Human error led to this information being shared with the media and political parties. All 12 discs have been recovered or confirmed they were destroyed by the recipients.”

Kemp said the incident in 2012 prompted a restructuring of the office’s IT department, the same department that employed the worker he blamed for the most recent incident.

“I am confident that all voter information is secure and safe,” Kemp said.

©2015 The Atlanta Journal-Constitution (Atlanta, Ga.) Distributed by Tribune Content Agency, LLC.