Georgia Secretary of State Does Damage Control Following Data Breach

During the nightmarish weekend for Georgia voters after their private information was released, Secretary of State Brian Kemp is offering them free credit monitoring services for a year.

by Kristina Torres, The Atlanta Journal-Constitution / December 4, 2015
Georgia Secretary of State Brian Kemp Office of Brian Kemp
Georgia Secretary of State Brian KempOffice of Brian Kemp

(TNS) -- Georgia Secretary of State Brian Kemp announced plans Thursday to offer 6.2 million registered voters a year of free credit and identity theft monitoring services.

The announcement came more than two weeks after a massive data breach at the agency exposed those voters’ personal information, including Social Security numbers and birth dates. An agency spokesman said the move is expected to cost $1.2 million, paid by the agency through reserve funds.

Kemp said he has contracted with Austin, Texas-based CSID for services that will be available within 10 to 14 business days. Additionally, he said all Georgia voters in the breach whose identity is compromised will be eligible for identity theft restoration services if their identity is compromised over the next year.

“I am confident that all personal information is safe and secure. However, I believe Georgia voters deserve peace of mind regarding this incident,” Kemp said in a statement. “We are continuing our internal investigation and have hired Deloitte to conduct an independent audit of all of our IT operations. Georgians have my word this will not happen again.”

It is not clear whether the state may face additional costs, or whether confidence that the exposed data was relatively contained helped keep costs down.

In 2012, a massive data breach reported by South Carolina exposed 3.8 million Social Security numbers, and officials blamed hackers who got into the state’s system. South Carolina paid Experian at least $12 million to provide credit monitoring for victims. State lawmakers there also put an additional $25 million into the budget for an extra year of credit protection and to upgrade computer security.

The audit by Deloitte is expected to cost about $400,000. And while many voters and lawmakers had called on Kemp to offer protection such as credit monitoring, the lack of details in Thursday’s announcement left some cold.

“While credit monitoring might be free for Georgians to enroll, it certainly won’t be free to the taxpayers,” said state Rep. Scott Holcomb, D-Atlanta, who has been a vocal critic of Kemp’s handling of the data gaffe.

“On one hand the secretary of state is saying there’s nothing to worry about. On the other, he’s providing credit monitoring. It’s a mixed message, to say the least,” Holcomb said. “Now Secretary Kemp is signing up taxpayers to pay an additional $1.2 million for credit monitoring that he claims is unnecessary. That ain’t very fiscally conservative in my book.”

The personal data released in the breach appear to have been inadvertently sent out last month to 12 organizations that regularly subscribe to “voter lists” maintained by the state. The groups receiving the data — delivered via compact discs — included state political parties, news media organizations and Georgia GunOwner Magazine.

Kemp two weeks ago fired an IT employee over what he dubbed a “clerical error.” That worker, longtime state programmer Gary Cooley, has disputed Kemp’s version of events and told The Atlanta Journal-Constitution he did not have the security access to add millions of Social Security numbers and birth dates to a public data file.

Cooley instead outlined a more complicated series of missteps and miscommunication, both within the office and with PCC Technology Group, an outside vendor tasked with managing voter data for the state.

Kemp, who says he became aware of the breach Nov. 13, has said all 12 data discs illegally disclosing the private information have either been recovered or destroyed, and that the data were not disseminated. He also denied the disclosure was a breach of the state’s voter registration system, saying the system itself was not hacked.

The agency has refused to turn over additional public records documenting aspects of the breach, saying it will release them after it completes an ongoing internal investigation.

Data security experts have said the data released in the breach could cause significant damage to consumers if the information were to fall into the wrong hands.

On Monday, the League of Women Voters of Georgia formally asked Gov. Nathan Deal to open an independent inquiry into the release — a request Deal declined. Deal, whose office has previously referred all questions to Kemp’s office, for the first time Wednesday addressed the gaffe. He said he’s still confident in Kemp’s leadership. He declined the call for an independent inquiry.

©2015 The Atlanta Journal-Constitution (Atlanta, Ga.) Distributed by Tribune Content Agency, LLC.