Last night, Georgia Secretary of State Brian Kemp released a statement regarding the improper dissemination of Personal Information (PI) of 6.1 million current and former Georgia voters. This information included the full Social Security number, driver’s license number, and full date of birth for these individuals. Yesterday, I blogged about how Peach Pundit received the data and was part of the physical data recovery effort on the part of the GASOS office.
As I sit here this morning, there are still some problems with the response of the GASOS. Some of those problems involve Peach Pundit and myself. And given that we are talking about a potential $30.5 BILLION problem, accuracy is pretty important.
Let’s start with the fact that the list of disk recipients that the GASOS gave to the AJC is incorrect.
The list of disk recipients is incorrect
Georgia Secretary of State Brian Kemp said these 12 organizations received data containing the personal information of more than 6 million voters that should not have been included in the files, such as Social Security numbers and dates of birth:
Georgia Democratic Party
Georgia Republican Party
Georgia Libertarian Party
Independence Party of Georgia
Southern Party of Georgia
Savannah Morning News
Georgia GunOwner Magazine
News Publishing Co.
But that list is incorrect. I know it’s incorrect because Peach Pundit is not listed. Here is the original request made by myself for the data, clearly listing my affiliation:
Given the gravity of the potential damage that could be done by this leaked data, isn’t it really, really important to have the right information and communicate that to the public? Although RedState and Peach Pundit are often considered “cousins” because Erick and I were heavily involved with both, my affiliation with RedState ended in 2007… more than five years before my Voter File request.
I’ll let RedState speak for themselves, but I’m told they never requested or received the data. Erick didn’t even know I had requested the Voter File until two days ago.
If you read my original story, the GASOS investigator contacted Erick via the RedState and WSB contact forms to get my contact information. They were sending out disks monthly and didn’t even have an accurate list of contact information for the recipients. Thank goodness they made the connection between Erick and myself, but that should have never been left to chance and contact forms. The sloppy chain of custody around the data distribution is inexcusable, especially given the potential for this kind of event to occur.
And let’s be clear – I did not return the October disk with the personal information on it. As I outlined in my statement to the GASOS office, I disposed of the disk shortly after receiving it. That’s what I do with most of the disks after I copy the data to a computer. (Why? Because only one of my computers at home even has a CD-ROM drive, and it’s not my main machine). Since the data was public record, I never considered that a formal destruction and disposal process was necessary.
It IS a data breach
The statement released by Brian Kemp says the following:
To reiterate, the Georgia Voter Registration System was not breached. The system has been and remains secure, and I am confident no voter’s personal information has been compromised.
Hoo boy, where to start. According to O.C.G.A. § 10-1-911, the definition of a breach is as follows:
(1) “Breach of the security of the system” means unauthorized acquisition of an individual’s electronic data that compromises the security, confidentiality, or integrity of personal information of such individual maintained by an information broker or data collector.
It’s accurate for him to say that the Georgia Voter Registration System was not breached. But that’s not the full story. When we talk about a data breach, we’re talking about the security and confidentiality of the data, not of any particular technology or process in place to protect it. Both the security and confidentiality of the personal information has in fact been breached – including my own, and that of my family and friends.
Secondly, I hope that Mr. Kemp has engaged a third party Information Security firm to test his thesis that the GVRS “has been and remains secure”. If you’ve received a new credit or debit card in the last few years thanks to the data breaches at Target, Home Depot, and the hundreds of small financial firms that have been hacked, then you know how ‘confidence’ can lead to a false sense of security. Cyber information security is all about leaving your confidence at the door and acting on best practices. And now that the bad guys know what the GVRS contains, I’m willing to bet it’s a high profile target.
And another point on that “confidence”… At least one copy of the personal information of the voters, including my own and that of my family and friends, is sitting in a landfill somewhere. How confident are you that it will never be discovered? (Hint: Start Here)
The potential impact and fixing the problems
The average cost of identity theft is about $5000 for each victim. The GASOS data breach has a $30.5 BILLION potential. I certainly hope that the data never makes it’s way into the wrong hands. But the physical security of the data, which was the focus of the GASOS office, is only the beginning. They have some serious work to do, and need to do it with the help of an outside party that has deep experience.
This event has highlighted some serious process and administrative issues in the GASOS office. There are many critics of Mr. Kemp and the GASOS Office and these recent events only reinforce the perception that the office has serious competency problems. I’ve interacted with very nice, thoughtful people over the years in the office, but that’s not enough. This is above all an administrative function, and they need to get that stuff right.