Georgia Secretary of State Brian Kemp’s Nov. 3 accusation that Democrats attempted to hack the state’s voter registration database three days before a gubernatorial election he would go on to win was blasted at the time by cybersecurity experts, who said Kemp offered little evidence to support his claim. Six weeks later, a report confirming that Kemp made his accusation based on a single piece of flimsy evidence, and that no law-enforcement investigations ever took place, strongly suggests Georgia has ignored good election security practices, an expert in the field told StateScoop. Eric Hodge, the director of election security services for the security firm CyberScout, responded to a Dec. 14 report by the Atlanta Journal-Constitution that found that Kemp’s claim that Democrats tried to hack the state voter file was based on a lone email to a Democratic volunteer from a software developer who said he found vulnerabilities in the database. In his capacity as secretary of state, Kemp, who resigned Nov. 8, was Georgia’s top elections official, leading to criticisms about whether he should oversee an election for governor in which he was also the Republican candidate.
Kemp defeated Democrat Stacey Abrams by about 55,000 votes, a margin that the Journal-Constitution reported could’ve been swayed by his last-minute accusation of an attempted cyberattack.
“In this case, it seems the Georgia leadership shot the messenger and thought the messenger was representing a political opponent and accused them of malfeasance,” Hodge said. “It had the feel of a political reaction.”
The vulnerabilities in question were spotted when the developer, identified by the Journal-Constitution as Richard Wright, logged on to Georgia’s voter website to check his registration. Upon attempting to download a sample ballot, Wright discovered the site allowed public users to download any file, and that altering certain numerals in the URL for a voter registration allowed users to access any Georgia voter’s file, containing many lines of personally identifying information. Wright eventually emailed his concerns to the state Democratic Party, which forwarded it to security experts at Georgia Tech.