ATLANTA (AP) — Georgia's secretary of state said Thursday that he takes "full responsibility" for more than 6 million voters' personal information being released to media and political parties and has fired an employee who he said is at fault.
Secretary of State Brian Kemp said in a statement that as of Thursday morning, all 12 discs containing sensitive information had been retrieved or destroyed.
"My staff has verified with the media outlets and political parties that received these discs that they have not copied or otherwise disseminated confidential voter data to outside sources," he said. "I am confident that our voters' personal information has not been compromised."
But at least one person who said he regularly receives the file told The Associated Press on Thursday that he threw the October disc away before an investigator with Kemp's office asked that it be returned. Kemp spokesman David Dove said the office considers that disc "disposed."
A lawsuit filed this week revealed what Kemp said his office learned on Friday — that Social Security numbers, dates of birth and driver's license numbers for 6.1 million registered voters was included in a voter file provided last month to 12 organizations.
That's among the largest breaches affecting states, if not the largest, according to a timeline kept since 2005 by the Privacy Rights Clearinghouse. South Carolina in 2012 discovered that unencrypted data from tax returns was hacked from its Department of Revenue, affecting 3.8 million adults, 1.9 million dependents and 700,000 businesses. The state spent nearly $50 million on credit monitoring services.
Paul Stephens, director of policy and advocacy at the Privacy Rights Clearinghouse, said the information released in Georgia can cause more serious issues than recent commercial breaches at retailers including Target. Those involved debit or credit card numbers, allowing consumers to catch fraudulent charges.
"You're not going to find out that somebody has obtained a credit card in your name," Stephens said. "They will go out, run up a big bill and when it's not paid, a collection agency comes looking and finds you, not the crook."
Stephens recommended a security freeze or fraud alert available through the three official credit reporting agencies.
Kemp's office on Thursday issued a formal alert and recommended that registered voters request free credit reports. The alert provided instructions on how to request a security freeze but didn't offer credit monitoring. It warned against fake emails or calls offering monitoring by the Secretary of State's office.
Kemp's office regularly provides an updated voter file to statewide parties and media, as allowed by Georgia law. Others can pay a $500 fee to get a copy of the file. It is supposed to include only a voter's name, residence, mailing address, race, gender, registration date and last voting date.
Clayton Wagar, publisher and owner of the political blog PeachPundit.com, said he has received a copy of the file each month since 2013. Wagar said an investigator with the office called him on Tuesday to retrieve the latest disc.
Wagar said he found a disc from November at his home but could not find October's. He said he must have thrown that disc away, unaware that it contained the extra personal information.
"I can't guarantee once it left me where it went," Wagar said. "It's not going to get us anywhere to have a false sense of security."
The next day, he gave an investigator a signed statement saying he had thrown the October disc away and also returned his November disc, which did not contain the extra personal information. Wagar said he later found an October voter file on his personal computer, searched for and found his own Social Security number, and then deleted the file.
Kemp on Wednesday said the additional personal information was put in the wrong file because of a "clerical error." Kemp said the IT employee responsible was fired for "breaking internal rules."
On Thursday, he promised to limit employee access to the secure site where the voter file can be downloaded to one person. Kemp also said he's creating a "three-part check" before discs containing the statewide voter file can be sent to the public.
State Sen. Greg Kirk and Rep. Ed Rynders, Republican lawmakers who sit on the respective House and Senate committees overseeing state government, said they remain confident in Kemp.
"It's a human mistake," said Rynders, chair of the House Governmental Affairs Committee. "So you put the proper oversight in place and decrease the likelihood these type of accidents don't occur in the future."
Rep. Scott Holcomb, D-Atlanta, called the release a "complete breakdown" and said he wants details from Kemp about how the office concluded voters' information is secure.
"We're not talking about minor details," Holcomb said. "These are all the pieces to the puzzle that people who want to commit identity theft need."
Attorney Jennifer Auer Jordan is seeking class-action status for the lawsuit and said Wednesday that her two clients want Kemp to notify voters and credit agencies and provide credit monitoring.
Copyright 2015 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.
The following is a public statement released by Georgia Secretary of State Brian Kemp this afternoon:
Dear Georgia Voters:
On Friday, November 13, 2015, the Georgia Secretary of State’s office learned that voters’ personal information was inadvertently included on a statewide voter disc that was sent to twelve groups. These groups included Georgia political parties and news media. Due to a clerical error where information was put into the wrong file, the discs contained personal identifying information that should not have been included. As of 11:00 am on Thursday, November 19, 2015 all twelve discs have been accounted for. Nine discs were retrieved by the Secretary of State’s office. The other three were confirmed to be disposed of by the recipients. Each of the twelve recipients, including the Georgia Republican Party and the Georgia Democratic Party, confirmed that they did not retain a copy of the information, either electronic or otherwise and that the information was not disseminated to any outside groups.
The office took immediate action to protect Georgia voters’ personal information. We retrieved the discs and confirmed that the recipients had not copied or otherwise disseminated the data. Our first priority is to minimize the impact of this mistake and to ensure that Georgia voter’s personal information is secure. The discs were mailed to the recipients on October 13, 2015, but other than the IT employee responsible for the error, the office was not aware the discs contained sensitive personal information until Friday, November 13, 2015. The employee who made the error has been terminated and additional safeguards, including a three-part check system, have been implemented to ensure that this situation does not happen again. Again, each of the twelve recipients confirmed that they did not retain a copy of the information and that it was not disseminated to any outside group.
To reiterate, the Georgia Voter Registration System was not breached. The system has been and remains secure. This issue was caused by a clerical error that has been remedied. While information was included on those twelve discs that should not have been included, we are confident that the information has now been secured and accounted for.
All registered voters in Georgia as of October 13, 2014 may be impacted. To check if you are a registered voter, visit the Georgia My Voter Page at www.mvp.sos.ga.gov.
The information on the discs included names, addresses, dates of birth, social security numbers (if provided), driver’s license numbers (if provided), voter registration numbers, phone numbers (if provided), gender (if provided), race (if provided), and voter precinct information.
The Secretary of State’s office has established a dedicated hotline that you can call if you have questions related to this incident. That number is (404) 654-6045. We have included contact information for the three nationwide credit bureaus below.
Fraud Prevention Tips
We want to make you aware of steps you may take to guard against identity theft or fraud.
We recommend that potentially impacted individuals remain vigilant for incidents of fraud and identity theft; this includes reviewing account statements and monitoring free credit reports. It is always a good idea to review your payment card statements carefully and call your bank or card issuer if you see any suspicious transactions. The policies of Visa, MasterCard, American Express, and Discover provide that you have zero liability for any unauthorized charges if you report them in a timely manner.
You are entitled under U.S. law to one free credit report annually from each of the three national credit bureaus, whose contact information is below. To order your free credit report, you can also visit www.annualcreditreport.com, call toll-free at 877-322-8228 or complete the Annual Credit Report Request Form on the FTC’s website (www.ftc.gov) and mail it to Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281. Review your credit report carefully to ensure that the information it contains is accurate. If you see anything on your credit reports or credit card accounts that appears incorrect, contact the credit reporting agencies and/or your credit card provider.
Report suspected incidents of identity theft to local law enforcement, the Federal Trade Commission, or your state attorney general. To learn more, you can go to the FTC’s web site at www.consumer.gov/idtheft, call the FTC at 877-IDTHEFT, or write to the Federal Trade Commission, Consumer Response Center at 600 Pennsylvania Avenue, NW, Washington, D.C. 20580. The Georgia Department of Law Consumer Protection Unit may be contacted by telephone at 1-800-869-1123 or by mail at 2 Martin Luther King Jr. Dr., Suite 356, Atlanta, GA 30334. You can visit their website with additional information about identity theft at http://consumer.georgia.gov/consumer-topics/identity-theft-what-to-do-if-it-happens-to-you.
You should be aware of scam email campaigns targeting individuals. These scams, designed to capture personal information (known as “phishing”), are designed to appear as if they are from the Secretary of State, and the emails include a “click here” link for credit monitoring. These emails are NOT from the Secretary of State.
- DO NOT reply to the email or reach out to the senders in any way.
- DO NOT supply any information on the website that may open, if you have clicked on a link in the email.
- DO NOT open any attachments that arrive with the email.
The Secretary of State is not calling individuals regarding the incident and is not asking for credit card information or Social Security numbers. For more guidance on recognizing scam email, please visit the FTC website: http://www.consumer.ftc.gov/articles/0003-phishing.
Credit Bureau Information
Fraud Alert and Credit Freeze Information
You may obtain additional information from the FTC and the nationwide credit bureaus about fraud alerts and security freezes. You can add a fraud alert to your credit report file to help protect your credit information. A fraud alert can make it more difficult for someone to get credit in your name because it tells creditors to follow certain procedures to protect you, but it also may delay your ability to obtain credit. You may place a fraud alert in your file by calling just one of the three nationwide credit bureaus listed above. As soon as that bureau processes your fraud alert, it will notify the other two bureaus, which then must also place fraud alerts in your file. In addition, you can visit the credit bureau links below to determine if and how you may place a security freeze on your credit report to prohibit a credit bureau from releasing information from your credit report without your prior written authorization:
- Equifax security freeze: https://www.freeze.equifax.com
- Experian security freeze: https://www.experian.com/consumer/security_freeze.html
- TransUnion security freeze: https://www.transunion.com/personal-credit/credit-disputes/credit-freezes.page
Notification Provided by Website and State-Wide Media
The total number of potentially affected voters is 6,181,413. Pursuant to O.C.G.A. § 10-1-911(4)(D), the potentially affected class of individuals to be notified exceeds 100,000 people, and the cost to notify those individuals exceeds $50,000. The Secretary of State’s office does not have e-mail addresses for the individuals to be notified. This notice will be posted on a conspicuous place on the Secretary of State’s website at www.sos.ga.gov and will be sent to major state-wide media.
Brian Kemp has been Secretary of State since January 2010. Among the office’s wide-ranging responsibilities, the Secretary of State is charged with conducting secure, accessible, and fair elections, the registration of corporations, and the regulation of securities, charities, and professional license holders.