It is frustrating for citizens to continue to watch state and federal governmental agencies announcing massive data breaches of citizens’ personal information. Here is another one.
On Tuesday, December 15, 2015, the Georgia Secretary of State’s office released a much awaited report concerning a data breach that occurred on October 13, 2015, but wasn’t publicly disclosed until November 18, 2015.
The breach happened when the Georgia Department of Revenue requested sensitive data, including Social Security numbers, dates of birth, and drivers’ license numbers of voters so it could match it to entries in its database. This is disturbing in and of itself. Citizens should be able to rely on governmental entities to use best practices in accessing, collecting and maintaining citizens’ Social Security numbers and only ask for the minimum amount necessary. The reason why all of this sensitive data was being requested has not been made public.
An employee of the Secretary of State’s office contacted an outside vendor to respond to the request. The vendor uploaded the data to an existing statewide voter file that should not have contained the information. The employee shared his user ID with another employee. That employee accessed the file that contained the sensitive information and burned the information onto CDs and emailed the voter list that wrongfully contained the sensitive information to a list of 12 groups that routinely receive voter information, including state political parties, media organizations, including the Atlanta Journal-Constitution and Georgia GunOwner Magazine.
The CDs were recovered or destroyed. Nonetheless, a class action lawsuit was filed for the breach and a Georgia Congressman has requested that the FTC investigate the breach.