Many questions remain for Brian Kemp in ‘Peach Breach’

Brian Kemp, seen here in a file photo from January, has a lot of questions to answer. (AJC Photo / Bob Andres)

Brian Kemp, seen here in a file photo from January, has a lot of questions to answer. (AJC Photo / Bob Andres)

The release of more than 6 million current or past Georgia voters’ personal information, which was “announced” Wednesday by the filing of a lawsuit against Secretary of State Brian Kemp, is a big deal. No Joe Biden “BFD” jokes here; this situation is too serious for those.

The explanation Kemp offered late Wednesday via a written statement doesn’t cut it. What kind of “clerical error” are we to believe was really responsible for this? A monthly release of the same fields from a database is the kind of operation that should be automated — or, at the very least, it should run the exact same query every single time. There is no excuse for doing it any other way. What’s more, why do identifying data such as Social Security numbers and driver’s license information exist in a database in Kemp’s office without being encrypted? If those data aren’t being protected so that it would take more than a mere clerical error to expose them, that’s a problem in itself.

Kemp’s focus on the physical discs also flies in the face of everything we know to be true about data. Once distributed, the data on those discs can take on a life of their own. What remains unclear at this point is whether any of the recipients uploaded the data into larger voter-information systems they maintain, and what kind of exposure there could be from those larger databases. Kemp has said his staff confirmed that with the recipients, but at this point we’ll need a little more than his word. Can we be certain, for instance that the recipients, which include five political parties, don’t have their own automated queries run on such files? We also need to know whether those physical discs were the only means by which voter data were distributed in October — a month before local elections, it’s possible the regular monthly recipients weren’t alone in getting voter data at that time — and whether there’s anything in the procedures that limited the supposed clerical error to gathering data for those discs.

I am awaiting word from Kemp’s office as to when, or if, he will make himself available to answer these and other questions.

Reader Comments 0

43 comments
Juanx
Juanx

This guy ,Brian Kemp, did not have the decency to let the public know the depth of this breach. Had my Congressman, a Democrat, not notified us we would not have had a clue. If anyone is monetarily harmed by this I hope they sue the State and Brian Kemp personally.

TheDoobieMan
TheDoobieMan

This man needs to step down immediately, he has grossly violated the trust of Georgian's all across this state - and he'd best be prepared for personal law suits that are surely to come...!

Wascatlady
Wascatlady

And they recovered some of the CDs; the others were "destroyed." Now, what chance is there that they did NOT download it, but just threw it away unexamined.

Wascatlady
Wascatlady

According to today's paper, there was another "error" in 2012 in this office.  Did anyone get notice on this?  And how many chances does this leadership get?

Imagelink
Imagelink

Kemp is trying to play it down with phrases like "clerical error" and claiming "all is well because all of the discs have been returned and/or accounted for." Just as the main architect of the "affordable" health care act, he's counting on the "stupidity of the American voter." You can copy a cd with all this information on it in less than a minute. You can send that information to an Eastern European ID theft ring in less than a second. The State should have to pay (out of Kemp's budget and salary if necessary) for ID theft protection for each and every person named on the discs and he must resign.

If not, the 2 civil suits will turn into 6,000,000. 

Wascatlady
Wascatlady

@Imagelink I believe it is a class-action suit,so all 6 million could be included.

Chiweenie4me
Chiweenie4me

Firing one staff level employee won't make this go away. At a minimum the IT Director should be fired as well - and soon. What they need is a transformation in their IT department. Getting rid of one guy won't accomplish anything. They need to remove the people in charge. Those are the people who should have put strong controls in place.

Today would be a good day for a fresh start. Time for Brian to show his leadership abilities by getting rid of ALL of those who should be held responsible.

Kemp_Must_Go
Kemp_Must_Go

Kemp's office's claim of a "clerical error" is nothing but a load of garbage. The truth is that the vendor who is responsible for the Voter Registration system made an unbelievably stupid mistake. A special extract of the voter file was requested by another government agency, which is why the birth date, SSN, and driver's license numbers were included. The vendor was careless and mistakenly made the changes to the regular monthly process that produces the file that is available to anyone who wishes to purchase the list. The fact that the vendor made these changes to the file that is available to the public without double/triple checking speaks volumes of their incompetence. Clerical error? Yeah right. I know this to be true because I have personally spoken with people directly involved.


Secretary Kemp has systematically destroyed what was, under Cathy Cox, one of the finest State agencies in the country. Do us all a favor and vote for ANYBODY but Kemp.


The basic file, withOUT sensitive information, is available to anyone for $500.

RoadScholar
RoadScholar

Kyle, why is it that the cons post repeatedly on Bookman's blog, but most do not come here to post. Why is that?

Bill72
Bill72

What?  No reference to charter schools being the solution to this kind of incompetence?  Tsk tsk, Kyle!

Wascatlady
Wascatlady

@Bill72 I've been waiting for a tie in to Benghazi or Hillary's email!

Wascatlady
Wascatlady

Then, you have to also wonder why the SOS office was not contacted by at least ONE of the recipients to say, "Hey, we seem to have gotten some sensitive information on the October run."  Makes you worry that at least ONE of the recipients might have a person who sees that they could copy and sell the info for a billion dollars to the "bad guys."

Wascatlady
Wascatlady

I'd like to have answered WHY this information is available to these groups, and IF they pay for the information?  And if so, how much?  Will we ever see the answers to this?


When you register to vote, you are never told the information is "shared," yet other entities have to tell you this.  Why not the state?

stogiefogey
stogiefogey

It's been common knowledge for a long time. Try to keep up old gal.

JamVet
JamVet

First Handel and now this guy.

You're doing a heckuva job, Georgia connies...

stogiefogey
stogiefogey

"Clerical error" is so passe. The latest cutting edge term, as used by our president to describe similar technology faux pas, is "a glitch". As in the ACA website debacle was "a glitch".

Wascatlady
Wascatlady

@stogiefogey The ACA website did not disclose private information.  This is infinitely more serious!  Credit monitoring should be absolutely available for free, and Kemp should be removed.

lvg
lvg

This is not nearly as big a threat as those Syrian orphans or grandmas voting without proper ID

Kyle_Wingfield
Kyle_Wingfield moderator

@lvg The "Syrian orphans" thing is not only off-topic, but the most intellectually lazy/dishonest talking point in a long time. And that's saying something.

Kyle_Wingfield
Kyle_Wingfield moderator

@Wascatlady Tell us, who in state government is worried about "Syrian orphans," as opposed to people who might enter alongside them?

Like I said, it's an intellectually lazy and dishonest talking point designed to draw attention away from the real problem, which is the out-of-control situation in Syria causing people to flee in the first place.

Kyle_Wingfield
Kyle_Wingfield moderator

@Bhorsoft No, you'll notice the claim is that someone's worried about "the threat" of "Syrian orphans." Exactly no one is worried about "Syrian orphans." As I said before, they're worried about who might enter the country alongside those orphans if the vetting process is insufficient.

But the use of "orphans" by detractors of Deal and others is intentional, designed to belittle their position by misrepresenting it. And it's dishonest.

xxxzzz
xxxzzz

First question should be-"When are you going to resign?"  Second question should be-"Do you think you are now qualified to work for DeKalb County?"

RoadScholar
RoadScholar

When available? Late Friday at best, probably Thanksgiving night at 11 pm.

DawgDadII
DawgDadII

I am an IT manager at a Fortune 500 company.  "Clerical error" seems highly unlikely, this is a major breach of information or access security and internal controls, for an external reporting function that either should be automated or subject to review with multiple human inspections and sign-offs (i.e., more than one person should be getting fired). 


An immediate IT general controls audit should be ordered and performed by an independent audit firm (not one employed by the State). 


Then there is the issue of communicating to the victims and indemnification of any losses associated with this breach, losses which likely would ultimately and primarily be borne by the taxpayers.


Not being fully familiar with Georgia Law, generally speaking I would consider this potentially an impeachable offense for the Secretary of State, pending the results of the audit.


I have long advocated we need a Sarbanes-Oxley law applicable to Government (at all levels, but particularly from the top-down). The people deserve no less than top-level accountability for adequate internal controls of our Government institutions. This is a classic example of why, piled on top of the countless other reasons.

ByteMe
ByteMe

@DawgDadII Not impeachment...  the best available remedy without him being forced to resign is a "recall" done by getting signatures of 15% of the registered voters in the state and then a new election gets held.

Caius
Caius

1. The cover up is a big deal.  Not notifying voters that their personal data had been compromised is an even bigger deal.  Where is my letter?


2. Who voted for this guy?  Are you going to vote for him again?


ByteMe
ByteMe

@Caius He has an "R" after his name... Many in this state would happily vote for Satan if he was on a ballot with "R" after his name.


Satan (R - Ringgold)


See how easy that is to get elected?

oldgrumpyguy
oldgrumpyguy

The rest of us are awaiting word from Kemp's office that he has done the right thing and has decided to resign, and it would be even more interesting if it were because of pressure from the Gov's office.  


Hey, everybody's gotta have a dream. 

Hedley_Lammar
Hedley_Lammar

Perhaps if they were more concerned with doing their jobs instead of pandering to Republicans over voter fraud concerns this stuff wouldn't happen

Wascatlady
Wascatlady

@Hedley_Lammar Yeah, we all know the first thing those illegal aliens do when they arrive is register to vote, followed closely by signing up for welfare!

ByteMe
ByteMe

The first thing I do with a disk of data is load it into my database server.  I'm assuming that over the past month -- since this distribution of my personal data was done -- that at least one of the IT people in at least one of the 12 organizations who received the data would have done the same thing.  So the getting the disks back is definitely a "closing the barn door after the horses have gotten out" situation.


We weren't notified of the "breach" first.

We haven't been offered credit checks like every other business would have done when a breach of this size is detected.

We haven't been told who screwed up, how they screwed up, how SecState's processes were designed so they wouldn't screw up, etc.


I smell a cover-up.  All I'm waiting for now is the shell game where Kemp gives us something stupid to focus on instead of on his office.  Squirrel!!

Wascatlady
Wascatlady

@ByteMe The really scary thing is no one in the office seemed aware of it until over a month later, when it was brought to their attention!

Bhorsoft
Bhorsoft

I see today that Kemp fired the IT person who allegedly put together the data that was released.  He or she supposedly did not "follow procedures" when putting it together.  So, moral is to fire the person who committed the "clerical error."


As you point out, why isn't this critical personal data encrypted in their systems?  I've worked in IT with credit card, SSAN, and other personal data and if we were required to keep the data we encrypted it.  If it wasn't required we just deleted it from the system. We even had automatic programs that ran frequently and periodically to encrypt or purge the data.


We do know that government IT spending is not a priority and IT contracts go to the low bidder - or to the people who contribute most to political campaigns.  To a degree, we got what we the taxpayers (and voters) paid for.


nick1234
nick1234

@Bhorsoft You hit the nail on the head. Government IT is not a priority. This is a statewide problem and bigger than just the SOS's office. I don't actually blame Kemp directly, its the state as a whole. Our technology is decades behind.