[BreachExchange] Data of 7.5M Georgia voters at risk

Audrey McNeil audrey at riskbasedsecurity.com
Mon Mar 6 19:46:07 EST 2017


https://www.scmagazine.com/data-of-75m-georgia-voters-at-
risk/article/642146/

The FBI has been called in to investigate the possibility of a breach at
Kennesaw State University's Center for Election Systems, the organization
that oversees the state of Georgia's election operations and voting
machines.

Personal information of as many as 7.5 million Georgia voters may have been
compromised in the incident, according to the Atlanta Journal-Constitution
(AJC).

Authorities are not revealing many details as the incident is under
investigation, but the announcement of a breach was made public on Friday,
March 3, when officials at Kennesaw State said they were working with
federal law enforcement officials "to determine whether and to what extent
a data breach may have occurred involving records maintained by the Center
for Election Systems.”

On March 3, the Georgia Secretary of State's Office announced that the
investigation did not pertain to its databases, containing information of
6.6 million voters registered in the state. That network was breached in
2015 when personally identifiable information of six million-plus
registered voters, including Social Security numbers, was sent to 12
organizations requesting voter lists. Recipients included media outlets and
political entities.

Kennesaw State University's Center for Election Systems has worked with the
Secretary of State's office since 2012 to oversee the election process in
the state. While it does not maintain its own live database of the official
voter registration database, the state is its one client for which it
"creates every ballot for every election and tests every single piece of
voting equipment used across the state," according to the AJC report.

It keeps an electronic record, used by poll workers across the state, to
verify registrants' personal information drawn from the Secretary of
State's database. This list is not posted on the internet; rather it is
hosted on an internal network. As well, several layers of security are in
place to prevent unauthorized access.

The AJC speculated that if a breach did occur, it likely involved the logs
generated for the poll workers' electronic poll books. "It also would
likely have come through the university's own information technology
system, given the statement from the Secretary of State's Office that its
network and systems were not involved," the AJC stated, though it is
unknown at this time when and how the incursion took place and what data,
if any, was exposed.

"Laws may incentivize certain institutions to have better cybersecurity
practices, but the laws ultimately cannot keep up with technological
developments – both in terms of attack vectors and cyber defenses,"
Alexander H. Southwell, chair of the Privacy, Cybersecurity and Consumer
Protection Practice Group at Gibson Dunn, told SC Media on Monday. "So laws
have a role in incentivizing behavior in broad strokes, but also need to
leave flexibility for tailored and changing solutions."

The stories of this particular breach is troubling given the unique role
the Center has in state elections, Southwell said. However, he pointed out,
it does not appear, based on preliminary reports, that the breach could
have affected any actual elections or involved any live voter registration
databases.

"The risk will depend on what personal identifying data is in the records –
the more detailed, such as Social Security numbers, the more risk of
potential identity theft," he said. "If the lost data is just names and
addresses, there is less risk."

Affected residents can potentially seek to hold liable whoever is
responsible for the breach or unreasonably lax security, said Southwell.
"But such claims for damages are difficult to successfully pursue, in part
because the risk of harm (and actual damage) is often speculative."

Merle S. King, executive director at Kennesaw State University's Center for
Election Systems, told SC Media on Monday that the FBI had taken the lead
in the investigation.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170306/b26a4245/attachment.html>


More information about the BreachExchange mailing list