Gaping Security Hole In Georgia Elections System Revealed Ahead Of Runoff

Less than a week out from a highly-anticipated special U.S. House election in Georgia, a private security researcher has revealed that he discovered a serious security hole at the center that helps manage election operations and voting machines for the state.

The findings from researcher Logan Lamb, whose account was first reported by Politico on Wednesday, raise concerns about the security of the Georgia’s election system. Due to a misconfigured server on the website of the Kennesaw State University’s Center for Election Systems, Lamb said that he was able to gain access to data including a voter registration database with information on 6.7 million voters, documents with poll workers’ passwords and software for the state’s electronic poll books.

He told the Associated Press that he was moved to share his findings publicly after the Intercept published a National Security Agency report showing that Russian military intelligence hackers went after U.S. voting infrastructure in 2016, including attempting to phish local elections officials. Bloomberg also recently reported that Russian cyber attacks on voter databases and election software were much broader than previously known, targeting no less than 39 states (it’s unclear whether Georgia was one of the 39).

Lamb said he first came across the files in August 2016 and brought them to the attention of the center’s director, Merle King, who he says vowed to patch the hole. But a second private researcher was able to access the same data as Lamb earlier this year, showing that the security gaps Lamb says he warned King about had not been fully addressed. A security breach at the center first was reported in March, kicking off an FBI investigation.

A spokeswoman for the Georgia Secretary of State’s Office says they were made aware of the breach in March, but were unaware that the center had been warned about security issues before then.

“We were notified of the KSU hack on March 2. We were not notified, however, when KSU officials were apparently first warned by an outside source of potential server vulnerabilities,” Candice Broce, a spokeswoman for the secretary of state’s office, said in a statement. “This failure in communication is inexcusable.”

Despite the security concerns raised by Lamb, Broce said that the secretary of state “remains confident in Georgia’s elections systems and voting equipment,” citing a county judge’s recent decision in a case concerning the state’s voting system.

Two Georgia voters and an advocacy group filed a lawsuit last month to try to force the state to stop using its old touchscreen electronic voting machines, which do not produce a paper ballot, citing the FBI investigation into the data breach. Using machines that do not leave a paper trail could make it more difficult to determine whether hackers tried to interfere with an election. However, the judge denied their request on Friday, arguing that the plaintiffs did not offer enough evidence “to demonstrate any concrete harm.”

Republican congressional candidate Karen Handel has also been pulled into this story line, as she was involved in assessing the security of the state’s voting system when she was elected secretary of state in 2006. As the Washington Post reported, Handel ordered an assessment of the state’s voting system, prompting the Office of Policy Analysis and Research at Georgia Tech to produce a report in 2008.

Richard DeMillo, who oversaw that assessment, told the Post that it found several issues with the state’s election procedures and that he also told the secretary of state’s office that the Kennesaw State University’s Center for Election Systems was at risk of an attack. Handel never followed up on that report, according to DeMillo.

“She seemed very interested in getting this, at the time,” he told the Post. “Once she was in office for a few months, we heard nothing.”

The Post asked Rob Simms, who served as Handel’s deputy secretary of state and now runs her campaign, about DeMillo’s claims.

“You’re asking if we ever ‘responded’ to a report/study that was done more than 10 years ago?” Simms asked in response, per the Post. “Doesn’t make sense to me.”

Voters in Georgia’s Sixth Congressional District head to the polls Tuesday for the runoff election to replace Health and Human Services Secretary Tom Price.