Georgia SOS Office treats data breach like nude selfie; asks boyfriends to delete from phone

Every month, usually the second week of the month, I receive a CD-ROM from the Georgia Secretary of State Election Office. About two years ago, I requested a copy of the Georgia voter file to perform some analysis of Georgia voters. As a press outlet (yes, we really are), I continue to receive this disk every month, delivered like clockwork to my home address. It’s useful on occasion when preparing investigative pieces, or for background for voter trends in Georgia.

I tend to save the data every few months to have a ‘fresh’ version, but don’t keep every copy. There are plenty of political parties and for-profit entities that track this data, and can provide much more meaningful analysis than I can.

Yesterday, Erick forwarded an email he had received via both the Redstate and WSB contact forms from an investigator with the GASOS office. The investigator was looking for me, and didn’t have anything but my name and address. This, despite the fact that the SOS form that I filled out requesting the Voter File contained my mobile number and contact information. The investigator sent the requests to Erick at 3:20PM, he forwarded them to me at 4PM, and I called at 4:10PM. The investigator asked if I still lived at the “Newcastle Drive” address, and if I was at home. I was not, I told him, but I could take a look for the disk later in the evening. “OK, then”, he said, “I’ll turn around”.

Excuse me?

Somebody wanted that disk back pretty badly.

Until yesterday evening, I had no idea that the very database I was receiving also, in it’s complete form, contains the full Social Security number, date of birth, and driver’s license number for every individual. And, apparently, I had been in possession of this information. For. Every. Single. Voter.

I returned home and found the November disk, which I originally thought I had thrown away. I reviewed the data, and found no difference from previous versions – there didn’t appear to be anything different. The investigator then confirmed that it was the October disk they were looking for, but he would take possession of November just in case it had the same problem. Clearly, there was a lack of information to be had, and priority number one was getting their hands on the disks.

After talking with the investigator, we agreed to meet this morning (November 18th) at one of the government remote offices (Chick-Fil-A North Point Mall). I checked his credentials, handed over the disk, and also a quickly typed signed statement that I had already disposed of the October disk.

Sadly, I’m sure that the SOS Elections Office thinks that getting the physical disks back amounts to some sort of meaningful control of the data. Unfortunately, just like the poor teenage girl who is convinced by her admirer to send indiscreet photos of herself, they will learn otherwise. Data has a life of it’s own, and the automated replication of data is unavoidable. Once it exists, it exists – forever.

Case in point – apparently, I had taken the (now infamous) October disk and made a copy of it to my computer. I don’t remember doing that – maybe I was on a conference call and multitasking or hadn’t yet had my coffee for the day. I only discovered this after meeting the investigator today and doing a more thorough search. (Note: I’ve now completely erased the October data using the DOD 5220-22-M standard for data erasure on magnetic drives.)

The point is that even the best intentioned folks can’t completely control data. It’s the biggest problem we have in the digital world we live in, and it’s only getting worse.

Stefan has already pointed out the various entities that receive this data. No doubt those folks are using Amazon, Google, Microsoft to spread the data around and this happens at the speed of light. The data I receive each month has never been encrypted, and comes in the form of a .zip and .txt file that anyone can open and view. Shown here is my own record in the ‘normal’ voter file, exactly as it’s supplied to me:

voter-file

And here is my record from the November file, with the three additional fields obscured. They are SSN, DOB, and DL:

voter-file-ssn

I’m not concerned about putting that information there, because it’s trivial to find out these bits on your own. It is truly scary what criminals are able to know about you. And in the dark web, the criminals have a very modern IT infrastructure that makes obtaining, buying, and selling personal and financial information quite easy. A would-be purchaser of your data and credit card numbers needs to have no more capability than shopping at Amazon, trust me.

There will be major ramifications to this data breach. Georgia law quite clearly defines the responsibilities of the parties, whether governmental or contractor.

They will offer you credit monitoring. Don’t rely on credit monitoring. Get a credit freeze today – it’s (nearly) free and very effective.

16 comments

  1. saltycracker says:

    This should result in some dismissals and Kemps resignation.

    I long ago froze my credit at the three agencies. It does not prevent your current accounts from updating their info on you or you from releasing it temporarily to open new accounts.
    Beats paying a company to monitor what happened.

    • Andrew C. Pope says:

      Salty, for once we seem to be in agreement, Kemp needs to retreat back to Athens and turn the office over to someone capable of cleaning this mess up. Other heads need to roll, too.

  2. Romegaguy says:

    When you get the voter files each month do you also get a nice autographed picture of Kemp, suitable for framing, or do you only get an electronic image?

  3. inlimine says:

    He has tonight written to all election officials to reassure them that the files were only sent to 12 entities, all were returned, and all assured him that they did nothing with the information. He also fired an IT employee over the matter and says there was no breach. I guess that settles that. Now let me check out these credit card charges made by me this morning in Paraguay.

  4. Scarlet Hawk says:

    In the HD 54 race, I was originally sent a CD, but it did not have accurate information (lots of addresses were somehow left off). After various emails and calls to the office, I finally contacted the Deputy SoS, who emailed a link. For voter data, I received this link that was active for a period of time and the information could be downloadable. It didn’t contain any information other than names and addresses, really. It was accurate, and far faster than the mail. I wonder why and for how long the SoS has used this archaic practice? Far too long either way.

    The most unfortunate thing is that the person who is now handling the clean-up is generally known as a do-nothing pretty boy who no-one in the office can determine why he has a job. Let’s hope this is his shining moment to prove himself.

  5. benevolus says:

    I was going to contact the Ga Dems about why they haven’t “retained or disseminated” the voter file for over a month, but their website isn’t working and I can’t reach them on the phone.

    I guess they don’t need any hassling from me.

Comments are closed.