Let’s set the record straight on #peachbreach

Last night, Georgia Secretary of State Brian Kemp released a statement regarding the improper dissemination of Personal Information (PI) of 6.1 million current and former Georgia voters. This information included the full Social Security number, driver’s license number, and full date of birth for these individuals. Yesterday, I blogged about how Peach Pundit received the data and was part of the physical data recovery effort on the part of the GASOS office.

As I sit here this morning, there are still some problems with the response of the GASOS. Some of those problems involve Peach Pundit and myself. And given that we are talking about a potential $30.5 BILLION problem, accuracy is pretty important.

Let’s start with the fact that the list of disk recipients that the GASOS gave to the AJC is incorrect.

The list of disk recipients is incorrect

Yesterday, the AJC reported the following:

Georgia Secretary of State Brian Kemp said these 12 organizations received data containing the personal information of more than 6 million voters that should not have been included in the files, such as Social Security numbers and dates of birth:
Georgia Democratic Party
Georgia Republican Party
Georgia Libertarian Party
Independence Party of Georgia
Southern Party of Georgia
Atlanta Journal-Constitution
Macon Telegraph
Savannah Morning News
Georgia GunOwner Magazine
Georgia Pundit
News Publishing Co.
RedState

But that list is incorrect. I know it’s incorrect because Peach Pundit is not listed. Here is the original request made by myself for the data, clearly listing my affiliation:

voter-file-request-peachpundit

Given the gravity of the potential damage that could be done by this leaked data, isn’t it really, really important to have the right information and communicate that to the public? Although RedState and Peach Pundit are often considered “cousins” because Erick and I were heavily involved with both, my affiliation with RedState ended in 2007… more than five years before my Voter File request.

I’ll let RedState speak for themselves, but I’m told they never requested or received the data. Erick didn’t even know I had requested the Voter File until two days ago.

If you read my original story, the GASOS investigator contacted Erick via the RedState and WSB contact forms to get my contact information. They were sending out disks monthly and didn’t even have an accurate list of contact information for the recipients. Thank goodness they made the connection between Erick and myself, but that should have never been left to chance and contact forms. The sloppy chain of custody around the data distribution is inexcusable, especially given the potential for this kind of event to occur.

And let’s be clear – I did not return the October disk with the personal information on it. As I outlined in my statement to the GASOS office, I disposed of the disk shortly after receiving it. That’s what I do with most of the disks after I copy the data to a computer. (Why? Because only one of my computers at home even has a CD-ROM drive, and it’s not my main machine). Since the data was public record, I never considered that a formal destruction and disposal process was necessary.

It IS a data breach

The statement released by Brian Kemp says the following:

To reiterate, the Georgia Voter Registration System was not breached. The system has been and remains secure, and I am confident no voter’s personal information has been compromised.

Hoo boy, where to start. According to O.C.G.A. § 10-1-911, the definition of a breach is as follows:

(1) “Breach of the security of the system” means unauthorized acquisition of an individual’s electronic data that compromises the security, confidentiality, or integrity of personal information of such individual maintained by an information broker or data collector.

It’s accurate for him to say that the Georgia Voter Registration System was not breached. But that’s not the full story. When we talk about a data breach, we’re talking about the security and confidentiality of the data, not of any particular technology or process in place to protect it. Both the security and confidentiality of the personal information has in fact been breached – including my own, and that of my family and friends.

Secondly, I hope that Mr. Kemp has engaged a third party Information Security firm to test his thesis that the GVRS “has been and remains secure”. If you’ve received a new credit or debit card in the last few years thanks to the data breaches at Target, Home Depot, and the hundreds of small financial firms that have been hacked, then you know how ‘confidence’ can lead to a false sense of security. Cyber information security is all about leaving your confidence at the door and acting on best practices. And now that the bad guys know what the GVRS contains, I’m willing to bet it’s a high profile target.

And another point on that “confidence”… At least one copy of the personal information of the voters, including my own and that of my family and friends, is sitting in a landfill somewhere. How confident are you that it will never be discovered? (Hint: Start Here)

The potential impact and fixing the problems

The average cost of identity theft is about $5000 for each victim. The GASOS data breach has a $30.5 BILLION potential. I certainly hope that the data never makes it’s way into the wrong hands. But the physical security of the data, which was the focus of the GASOS office, is only the beginning. They have some serious work to do, and need to do it with the help of an outside party that has deep experience.

This event has highlighted some serious process and administrative issues in the GASOS office. There are many critics of Mr. Kemp and the GASOS Office and these recent events only reinforce the perception that the office has serious competency problems. I’ve interacted with very nice, thoughtful people over the years in the office, but that’s not enough. This is above all an administrative function, and they need to get that stuff right.

11 comments

  1. bobbatl says:

    This shows poor planning and management of policies supposedly designed to protect sensitive voter information. Confidentiality policies translate into programming of systems and “need to know only basis” access to information stored in systems by employees. The fact that a state employee could run a report that produces a file/disc that doesn’t mask this information (or includes it at all) is evidence there are serious issues with implementation and management of stated privacy and confidentiality policies.

  2. Will Durant says:

    First off, thank you Mr. Wagar for staying on top of this. It goes to the heart of the matter that regardless of spin from the SoS that there has been a breach of personal data and that we have no assurance that information has not or will not be circulated into the wrong hands.

    From the AJC: Kemp said Thursday that all 12 discs sent to the organizations “have been accounted for. Each recipient, including the Georgia Republican Party and the Georgia Democratic Party, has confirmed that the data was not retained or disseminated to any outside parties.”

    Yet we find that more than one month after the fact Kemp’s office can’t even get their story straight on who the actual recipients of the discs. There is no way that the absolute denial of the data being compromised is valid as noted here with the treatment of this disc. Also as of his statement yesterday the Libertarian Party hadn’t even responded to the disposition of their disc since its importance wasn’t conveyed when they were initially contacted. And of course there is no way we know how many hands the other purported 10 discs passed through or once copied to drives or public areas on servers.

    To simply assume that out of all of those handling or seeing this data with no audit trails attached, that there wasn’t anyone who might have been tempted to make a buck is ludicrous. As are the SoS’s false assurances.

    • NoTeabagging says:

      I didn’t fall off the turnip truck yesterday, I cannot possibly believe that list of organizations discarded this information. The list is always obtained for commercial use and sold to the next highest bidder.

  3. chefdavid says:

    I don’t know about you but when I recieve info on disc it gets copied to a server where numerous various users have access. So you are going to tell me that after a month on 11 different orginazations this information was not copied to a server set to national org as a update? I’m not buying that the info did not get out. Various orgs may say they don’t have it or it may have been copied from their servers by users they don’t know about.

  4. chefdavid says:

    I don’t know about you but when I recieve info on disc it gets copied to a server where numerous various users have access. So you are going to tell me that after a month on 11 different orginazations this information was not copied to a server set to national org as a update? I’m not buying that the info did not get out. Various orgs may say they don’t have it or it may have been copied from their servers by users they don’t know about.

  5. Dave Bearse says:

    Its plausible there will state payments for credit monitoring. With Equifax in town, a silver lining for the Kemp Guberatorial campaign is the use of Georgia tax dollars to create of good private sector jobs.

  6. Mrs. Adam Kornstein says:

    Thank you for this post, helpful.

    Puzzling however why Georgia GunOwner Magazine gets this info? I mean.. what the what.

    • Will Durant says:

      I would guess it’s because a one time charge of $500 is cheaper than you could buy a mailing list of 6.5 million names from Experian or the other commercial providers. You are also guaranteed that they are all potential voters and the addresses are likely 99.9% accurate.

  7. NoTeabagging says:

    The SOS does sell this information. “Voter registration lists and files are available to the public. The files contain the following information: voter name, residential address, mailing address if different, race, gender, registration date and last voting date. Pricing is set by the Secretary of State’s Office. Such data may not be used by any person for commercial purposes. (O.C.G.A. §21-2-225 (c))” I spoke to an SOS representatives a few years back. They said the SOS does not and cannot enforce the use of the information for “commercial purposes”. We have all been sold South many times over the years.

    I urge anybody to re-register and remove any information no longer required, such as your SSN. you can also check “other” for race and screw up gerrymandering attempts.

    Looking over the partial list of recipients, I’m not really happy knowing the Koch Brothers, and god knows how many other scurrilous databases has my info and is selling it on those tacky directory websites.

Comments are closed.