The FBI has been called in to investigate the possibility of a breach at Kennesaw State University's Center for Election Systems, the organization that oversees the state of Georgia's election operations and voting machines.
Personal information of as many as 7.5 million Georgia voters may have been compromised in the incident, according to the Atlanta Journal-Constitution (AJC).
Authorities are not revealing many details as the incident is under investigation, but the announcement of a breach was made public on Friday, March 3, when officials at Kennesaw State said they were working with federal law enforcement officials "to determine whether and to what extent a data breach may have occurred involving records maintained by the Center for Election Systems.”
On March 3, the Georgia Secretary of State's Office announced that the investigation did not pertain to its databases, containing information of 6.6 million voters registered in the state. That network was breached in 2015 when personally identifiable information of six million-plus registered voters, including Social Security numbers, was sent to 12 organizations requesting voter lists. Recipients included media outlets and political entities.
Kennesaw State University's Center for Election Systems has worked with the Secretary of State's office since 2012 to oversee the election process in the state. While it does not maintain its own live database of the official voter registration database, the state is its one client for which it "creates every ballot for every election and tests every single piece of voting equipment used across the state," according to the AJC report.
It keeps an electronic record, used by poll workers across the state, to verify registrants' personal information drawn from the Secretary of State's database. This list is not posted on the internet; rather it is hosted on an internal network. As well, several layers of security are in place to prevent unauthorized access.
The AJC speculated that if a breach did occur, it likely involved the logs generated for the poll workers' electronic poll books. "It also would likely have come through the university's own information technology system, given the statement from the Secretary of State's Office that its network and systems were not involved," the AJC stated, though it is unknown at this time when and how the incursion took place and what data, if any, was exposed.
"Laws may incentivize certain institutions to have better cybersecurity practices, but the laws ultimately cannot keep up with technological developments – both in terms of attack vectors and cyber defenses," Alexander H. Southwell, chair of the Privacy, Cybersecurity and Consumer Protection Practice Group at Gibson Dunn, told SC Media on Monday. "So laws have a role in incentivizing behavior in broad strokes, but also need to leave flexibility for tailored and changing solutions."
The stories of this particular breach is troubling given the unique role the Center has in state elections, Southwell said. However, he pointed out, it does not appear, based on preliminary reports, that the breach could have affected any actual elections or involved any live voter registration databases.
"The risk will depend on what personal identifying data is in the records – the more detailed, such as Social Security numbers, the more risk of potential identity theft," he said. "If the lost data is just names and addresses, there is less risk."
Affected residents can potentially seek to hold liable whoever is responsible for the breach or unreasonably lax security, said Southwell. "But such claims for damages are difficult to successfully pursue, in part because the risk of harm (and actual damage) is often speculative."
Merle S. King, executive director at Kennesaw State University's Center for Election Systems, told SC Media on Monday that the FBI had taken the lead in the investigation.