ATLANTA - Georgia's secretary of state said Thursday that he takes "full responsibility" for more than 6 million voters' personal information being released to media and political parties and has fired an employee who he said is at fault.
Secretary of State Brian Kemp said in a statement that as of Thursday morning, all 12 discs containing sensitive information had been retrieved or destroyed.
"My staff has verified with the media outlets and political parties that received these discs that they have not copied or otherwise disseminated confidential voter data to outside sources," he said. "I am confident that our voters' personal information has not been compromised."
Georgia Secretary of State Brian KempBut at least one person who said he regularly receives the file told The Associated Press on Thursday that he threw the October disc away before an investigator with Kemp's office asked that it be returned. Kemp spokesman David Dove said the office considers that disc "disposed."
A lawsuit filed this week revealed what Kemp said his office learned on Friday - that Social Security numbers, dates of birth and driver's license numbers for 6.1 million registered voters was included in a voter file provided last month to 12 organizations.
That's among the largest breaches affecting states, if not the largest, according to a timeline kept since 2005 by the Privacy Rights Clearinghouse. South Carolina in 2012 discovered that unencrypted data from tax returns was hacked from its Department of Revenue, affecting 3.8 million adults, 1.9 million dependents and 700,000 businesses. The state spent nearly $50 million on credit monitoring services.
Paul Stephens, director of policy and advocacy at the Privacy Rights Clearinghouse, said the information released in Georgia can cause more serious issues than recent commercial breaches at retailers including Target. Those involved debit or credit card numbers, allowing consumers to catch fraudulent charges.
"You're not going to find out that somebody has obtained a credit card in your name," Stephens said. "They will go out, run up a big bill and when it's not paid, a collection agency comes looking and finds you, not the crook."
Stephens recommended a security freeze or fraud alert available through the three official credit reporting agencies.
Kemp's office on Thursday issued a formal alert and recommended that registered voters request free credit reports. The alert provided instructions on how to request a security freeze but didn't offer credit monitoring. It warned against fake emails or calls offering monitoring by the Secretary of State's office.
Kemp's office regularly provides an updated voter file to statewide parties and media, as allowed by Georgia law. Others can pay a $500 fee to get a copy of the file. It is supposed to include only a voter's name, residence, mailing address, race, gender, registration date and last voting date.
Clayton Wagar, publisher and owner of the political blog PeachPundit.com, said he has received a copy of the file each month since 2013. Wagar said an investigator with the office called him on Tuesday to retrieve the latest disc.
Wagar said he found a disc from November at his home but could not find October's. He said he must have thrown that disc away, unaware that it contained the extra personal information.
"I can't guarantee once it left me where it went," Wagar said. "It's not going to get us anywhere to have a false sense of security."
The next day, he gave an investigator a signed statement saying he had thrown the October disc away and also returned his November disc, which did not contain the extra personal information. Wagar said he later found an October voter file on his personal computer, searched for and found his own Social Security number, and then deleted the file.
Kemp on Wednesday said the additional personal information was put in the wrong file because of a "clerical error." Kemp said the IT employee responsible was fired for "breaking internal rules."
On Thursday, he promised to limit employee access to the secure site where the voter file can be downloaded to one person. Kemp also said he's creating a "three-part check" before discs containing the statewide voter file can be sent to the public.
State Sen. Greg Kirk and Rep. Ed Rynders, Republican lawmakers who sit on the respective House and Senate committees overseeing state government, said they remain confident in Kemp.
"It's a human mistake," said Rynders, chair of the House Governmental Affairs Committee. "So you put the proper oversight in place and decrease the likelihood these type of accidents don't occur in the future."
Rep. Scott Holcomb, D-Atlanta, called the release a "complete breakdown" and said he wants details from Kemp about how the office concluded voters' information is secure.
"We're not talking about minor details," Holcomb said. "These are all the pieces to the puzzle that people who want to commit identity theft need."
Attorney Jennifer Auer Jordan is seeking class-action status for the lawsuit and said Wednesday that her two clients want Kemp to notify voters and credit agencies and provide credit monitoring.