Did the Democratic Party of Georgia just get caught trying to hack Georgia's voter database?
Or is this a last minute political hack job by a Republican who oversees state elections and is in a dead heat battle to be the next governor?
The world is left waiting for the answer after a four-sentence statement from Georgia Secretary of State Brian Kemp:
After a failed attempt to hack the state's voter registration system, the Secretary of State's office opened an investigation into the Democratic Party of Georgia on the evening of Saturday, November 3, 2018. Federal partners, including the Department of Homeland Security and Federal Bureau of Investigation, were immediately alerted.
While we cannot comment on the specifics of an ongoing investigation, I can confirm that the Democratic Party of Georgia is under investigation for possible cyber crimes. We can also confirm that no personal data was breached and our system remains secure.
On Monday, November 5, Kemp's office issued an update, saying the information on the alleged hacking came from the office's legal team, and that the hackers apparently targeted two specific pages:
1. The Online Voter Registration page
2. The My Voter page
Kemp's Monday morning update was also just four sentences long:
We opened an investigation into the Democratic Party of Georgia after receiving information from our legal team about failed efforts to breach the online voter registration system and My Voter Page.
We are working with our private sector vendors and investigators to review data logs. We have contacted our federal partners and formally requested the Federal Bureau of Investigation to investigate these possible cyber crimes. The Secretary of State's office will release more information as it becomes available.
InfoSec leaders will naturally wonder this: If private sector vendors and investigators are just now on the case, why did Kemp's office say it was an investigation against the State Democratic Party instead of, say, Russian operatives trying to hack the system and throw the blame to someone else?
Kemp's opponent in the governor's race, Stacey Abrams, spoke to Good Morning America on Monday, saying, “He cooked up the charge, because he realizes, once again, he left the personal information of six million voters vulnerable. This has happened twice before.”
Kemp's office, in fact, made headlines last summer after 6 million voter records were exposed.
And the State Democratic Party of Georgia says a private citizen notified them of similar vulnerabilities on the same day Kemp made his accusations. The Democrats posted this email from Richard Wright (whom they claim is not affiliated with the state party) sent to a Democratic party volunteer named Rachel:
Hey Rachel,
Nate asked me to provide you with details on the issues that I’ve discovered, and I believe he spoke to you about.
I’ve attached a postman file which shows details on the two issues I’ve discovered. The first issue is with the MY Voter Page site. It has a url to download sample ballots and poll cards; however, the url allows you to download any file on the system. The second issue is with the online voter registration. On that site, you can download a form to print and mail your registration to the local election office. That url contains an ID number for your request. If you change that ID #, which is just a counter – ie 1, 2, 3, …, you can download anyones data and that includes lots of PII (ie drivers license and last 4 of Ssn).
Feel free to call me at [REDACTED] if you have questions.
What does this email mean? State Democrats say it means the one who probed the voter pages was also the one who told the Democratic party, not the party itself:
As is abundantly clear from these emails, it was Richard Wright, not Rachel Small, who may have performed the actions described. The Kemp campaign has no case and must immediately retract their defamatory accusations.
We know one thing for sure: The race between Kemp and Abrams is in a dead heat. A poll last week by the Atlanta Journal-Constitution and Channel 2 Action news has each candidate with 47% of the vote.
And now, we wonder: Will allegations of hacking or lax cybersecurity tip the scales in a statewide election—and if so, which way?
MORE: Georgia election hacking documents:
Brian Kemp statement on Georgia election hacking
Brian Kemp update on Georgia election hacking
Georgia Democratic Party statement on election hacking