Behind the #PeachBreach: How the Secretary of State’s office compromised the personal data of Georgia’s voters

What started as a minor misunderstanding morphed into an “emergency” that affected more than 6 million people. Who’s to blame for a data breach of historic proportions?
Brian Kemp

Secretary of State's Office

To fully grasp the perils of the #PeachBreach, and the predicament Georgia Secretary of State Brian Kemp now faces, you have to start small. There exists, within Kemp’s office, a single digital document called the “State Download File.” If you’re a registered voter in Georgia, your name and address, race, and gender is on this list. Because it’s public record, anyone can obtain this data. The press and political parties get the file for free, while everyone else has to pay $500 for it. Each month, a Secretary of State staffer burns the latest version onto a CD, labels it with a permanent marker, seals it once inside a cardboard disc cover, and seals it again inside a bubble-wrap mailer.

The Secretary of State’s office has distributed the State Download File long before Kemp took office in 2010. There had never been a major problem with the process, in part because the truly sensitive information wasn’t included. But on October 13, his office sent the disc to a dozen different organizations that included newspapers (the Atlanta Journal Constitution, Savannah Morning News, Macon Telegraph), political parties (the Democratic, Republican, and Libertarian parties), and even the editors at Georgia GunOwner magazine. Unbeknownst to Kemp, who was far removed from the ins and outs of the file’s distribution, the October mailing was sent out with voters’ birthdates, driver’s license numbers, and social security numbers included. In theory, a recipient could have stolen the identities of approximately 6.1 million voters’ because of a lack of security measures.

At 3:20 p.m. on November 13, exactly a month after the discs were mailed out, Georgia Pundit’s Todd Rehm called Kemp with an urgent message: His State Download File contained sensitive info he shouldn’t have received. Once Kemp hung up the phone, he asked three senior-level officials to verify the source of the data breach, according to an internal investigation released by Kemp’s office yesterday. His managers searched for answers from their staffers. At 4:24 p.m., Gary Cooley, a systems programmer who had worked with the Secretary of State’s office since 1995, fired off an email to PCC Technology Group, the third-party vendor that each month created the file: “Call me. This is an emergency. Brian is being called.”

On November 18, five days after the issue first came to light, Kemp acknowledged the problem to the public. He sought to reassure Georgia voters, saying his office had received verbal confirmation from the 12 groups that no one had copied the State Download File. To be sure, however, his office would retrieve each CD and collect a signed affidavit from each recipient to ensure no copies were made. “I am confident that all personal information is safe and secure,” he said in a statement. Based on his office’s work, he believed the breach was nothing more than a “clerical error.” To ensure it didn’t happen again, Kemp fired Cooley for his alleged role in the mess up. (More about that in a minute) He also vowed to enact stricter security measures. However, not everyone was assured.

“Unfortunately, just like the poor teenage girl who is convinced by her admirer to send indiscreet photos of herself, they will learn otherwise,” Peach Pundit publisher Clayton Wagar, one of the 12 recipients of the Statewide Download File, wrote in a November 18 blog post. “Data has a life of its own, and the automated replication of data is unavoidable. Once it exists, it exists—forever.”

Over the past month, Kemp had promised to release documents related to the #PeachBreach. The emails detailing the breach—along with personnel files, signed statement from employees, and other internal policies—were included in the report issued Monday by the Secretary of State’s office, in response to multiple Open Records requests from media across the state. (You can read the 30-page report here along with the following exhibits: A—Employee Statements, B—Job Descriptions, C—Secretary of State’s Office IT Policies, D—SANS Report, E—PCC Reports, F—Emails Regarding DOR request, G—JIRA Tickets, H—Documents Related to Voter List Requests, I—Gary Cooley’s Personnel File, J—Gary Cooley’s Email, K—Remedial Policies)

Throughout the report, written by two Kemp staffers, Cooley is portrayed as the main person to blame for the data breach. The investigation found Cooley had a “tendency to act independently” and disregarded internal procedures since he became a full-time $83,000-a-year employee in December 2008. During the following year, Cooley was suspended without pay for “failure to achieve accuracy in his work, failing to document audit processes, and failing to accurately and timely communicate his workflow to his supervisor.”

We tried multiple times to get in touch with Cooley on Monday night and this morning, but he didn’t return our phone calls. On December 2, as the #PeachBreach’s details began trickling out to the public, Cooley told the AJC he was taking the fall for “an honest mistake” that revealed a problem with how his office transferred the State Download File. It was an issue, he said, that was the responsibility of his superiors.

“It seems like the pure definition of the word, what happened to me,” he told the paper on December 2 when asked whether he was a scapegoat. “I just want to clear my name and get the story correct.”

During early 2014, Kemp’s office had started to move into the digital era when it acquired a new server. Data had to subsequently be transferred. As the process unfolded, certain organizations that needed the State Download File—including the Democratic Party of Georgia—were receiving them in different formats than usual. One of those organizations happened to be a state agency: The Georgia Department of Revenue. Between August 2014 and August 2015, the data Department of Revenue received from Kemp’s office hadn’t properly migrated into its database. To fix the problem, both state agencies discussed how to securely transfer the data. On August 10, 2015, Cooley opened up a ticket to resolve the issue. PCC started working to get the Department of Revenue they needed, which included birthdates, driver’s license numbers, and social security numbers; all of which was to be encrypted.

Both PCC and Cooley had agreed Department of Revenue’s encrypted file should be transferred through a private network protocol called a Secure File Transfer Protocol—often referred to as a “SFTP”—that they used every month to move the State Download File. On October 5, Cooley asked PCC’s Keval Patel to send the file “as soon as possible” after several weeks of delays. But a minor miscommunication ensued, according to the investigation: Patel updated the old file but didn’t tell Cooley; Cooley waited a week to confirm with Patel. During that period, another Secretary of State staffer outside of Cooley’s division downloaded the file, thinking that it was the normal State Download File and not the one specifically for the Department of Revenue. However small the problem started, it ultimately led to a mammoth data breach.

Once Cooley learned of the error, he asked PCC to replace the file. He didn’t tell anyone, though, because he thought he’d dodged a bullet. “I thought, ‘we got lucky, no harm done,’” he told the AJC. According to the investigation, Cooley could have stopped the CDs from being mailed if he spoke up to his superiors. “Instead, Mr. Cooley chose to cover up his mistake and remain quiet,” the report said. Thus the simple misunderstanding morphed into a data breach of historical proportions: It’s about twice as big as the South Carolina Department of Revenue’s 2012 breach that exposed 3.6 million residents’ social security numbers and nearly a third of the size of the U.S. Office of Personnel Management’s 2015 breach that compromised the personal information of more than 21 million Americans. (Both of those breaches were prompted by hackers). It ultimately cost Cooley his job.

Despite his decision to fire Cooley, Kemp was still feeling pressure. On December 2, he approved a $395,000 payment for a Deloitte audit on his office’s IT operations. Though he pledged the personal data was secured, he offered all 6.1 million registered voters free credit monitoring. The potential cost to taxpayers? $1.2 million. In yesterday’s report, Kemp’s office also decided to adopt tighter data procedures that include requiring two people to watch over sensitive voter information, hold managers more accountable for the actions of their employees, and increase data training for all staffers in his office.

So what happens now? Two Georgia residents have filed a lawsuit seeking class-action status, while the League of Women Voters has urged Gov. Nathan Deal to launch a formal investigation, and Congressman Hank Johnson, D-Lithonia, has called for a federal probe. Pundits on both the right and petitioners on the left have demanded Kemp’s resignation. More than 3,200 people have signed a petition with the title: It’s Time to Fire Secretary of State Brian Kemp.

State Rep. Scott Holcomb, a Democrat from Atlanta, said the report is most notable for the question it doesn’t answer: Why doesn’t the report outline specifics about securing the 12 CDs? Why haven’t notes from Kemp’s investigators been released? Where are the signed statements from State Download File recipients affirming they returned or destroyed the CDs? Is there any proof that shows the personal information of Georgia voters wasn’t compromised?

“This report shows us up to when they released information, but it doesn’t answer questions of securing information after the release,” Holcomb told us. “There’s nothing about the steps to secure the data of more than 6 million Georgians. They missed the climax. They missed the end of the story.”