This story first appeared at ProPublica and the Atlanta Journal-Constitution. ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for The Big Story newsletter to receive stories like this one in your inbox.
It was a stunning accusation: Two days before the 2018 election for Georgia governor, Republican Brian Kemp used his power as secretary of state to open an investigation into what he called a “failed hacking attempt” of voter registration systems involving the Democratic Party.
But newly released case files from the Georgia Bureau of Investigation reveal that there was no such hacking attempt.
The evidence from the closed investigation indicates that Kemp’s office mistook planned security tests and a warning about potential election security holes for malicious hacking.
Kemp then wrongly accused his political opponents just before Election Day — a high-profile salvo that drew national media attention in one of the most closely watched races of 2018.
“The investigation by the GBI revealed no evidence of damage to (the secretary of state’s office’s) network or computers, and no evidence of theft, damage, or loss of data,” according to a March 2 memo from a senior assistant attorney general recommending that the case be closed.
The internet activity that Kemp’s staff described as hacking attempts was actually scans by the U.S. Department of Homeland Security that the secretary of state’s office had agreed to, according to the GBI. Kemp’s chief information officer signed off on the DHS scans three months beforehand.
Although there was no malicious hack, the GBI files also report that the state’s website where voters can check their information did have a significant vulnerability — a flaw Kemp’s staff still won’t acknowledge a year and a half later.
Candice Broce, Kemp’s spokeswoman, continued to insist Friday that elections officials responded to a “failed cyber intrusion,” despite the GBI’s findings that scans came from DHS.
“The attorney general determined that the secretary of state’s office properly referred this matter to law enforcement for investigation,” Broce said. “The systems put in place by Brian Kemp as Georgia’s secretary of state kept voter data safe and secure.”
In 2018, while the secretary of state’s office rushed to fix the vulnerability before Election Day, Broce, who was also Kemp’s spokeswoman then, said the last-minute patches to the website were “standard practice.”
The attorney general’s office in March closed the investigation Kemp started, finding no evidence that would justify a prosecution.
After the investigation ended, The Atlanta Journal-Constitution used the Georgia Open Records Act to obtain 395 pages of GBI case files, including interview summaries, emails and election security reports.
“Accusing an opponent of criminal acts without basis in fact, and lying to the public to cover up their own ineptitude, was a breach of public trust,” Sara Tindall Ghazal, the Democratic Party of Georgia’s voter protection director at the time, said in an interview. Ghazal helped alert authorities to the election website vulnerabilities.
The GBI files don’t explain the basis for the decision by Kemp’s office to blame the Democratic Party or support his accusation. Kemp went on to narrowly defeat Democrat Stacey Abrams in the election for governor.
Raising the Alarm
Events unfolded quickly when Richard Wright, a Roswell voter, noticed vulnerabilities in the state’s election website shortly before voters went to the polls Nov. 6, 2018, according to the case files.
Wright, a Georgia Tech graduate and Democratic voter who works for a software company, had listened to a news report about a lawsuit over election security. He then checked his voter registration information and used his web browser’s built-in tools to analyze the state’s My Voter Page.
“When visiting the MVP site, I was curious if there were security issues given the recent news coverage I had heard,” Wright wrote in a response to questions from the attorney general’s office.
Wright found that he could look up other voters’ information by modifying the web address on the site, a flaw confirmed by ProPublica and Georgia Public Broadcasting before it was fixed.
He also made more disconcerting claims, that someone could “download any file on the system” as well as voters’ driver’s license numbers and partial Social Security numbers. Those allegations were not substantiated. Wright told investigators he didn’t attempt to look at any information on the website other than his own and his wife’s.
Kemp’s office disputes Wright’s allegations.
“Richard Wright’s allegations — sent through the Abrams campaign and funneled to the Democratic Party of Georgia — were false because you could not access confidential voter data,” Broce said.
After discovering the vulnerability, Wright contacted plaintiffs in the election security lawsuit and the Democratic Party of Georgia. They passed along his concerns, which soon reached the FBI, the National Security Agency, the GBI, the Abrams campaign, Georgia Tech professors and attorneys for the secretary of state’s office.
Kemp’s staff began looking into Wright’s claims. If true, they would be another blemish on Kemp’s election security record after his office had previously exposed voter data and wiped election servers soon after being sued. His staffers, however, suspected hacking.
“Our vendor’s research shows that the only way to accomplish this on the site is using tools designed to attack websites, which is what we fear is happening here,” Ryan Germany, Kemp’s general counsel, wrote in a Nov. 3 email. “Our vendor is making changes tonight to resolve the issue and is reviewing logs, but after our initial research it seems that we are dealing with an intentional attempt to hack a website.”
An election security vendor for the state, Fortalice Solutions, later concluded, however, that there was no evidence that voter information had been accessed, manipulated or changed by bad actors.
Fortalice also confirmed vulnerabilities that exposed files on the My Voter Page. DHS exploited those vulnerabilities when it was testing Georgia’s election system in October 2018, according to the GBI files. Details of Fortalice’s findings were redacted from those files. The company said the vulnerabilities did not reveal confidential voter information.
Nevertheless, “having an unpatched vulnerability like this is a really big problem,” said Richard DeMillo, a Georgia Tech cybersecurity professor contacted by the Democratic Party with Wright’s concerns. “Since we know that the Russians were probing voter registration sites, why would you assume this kind of vulnerability wasn’t something they could exploit?”
Wright’s email to the Democratic Party included an attached file that showed his web browser’s interactions with the My Voter Page. The way the website worked suggested to Wright that the system could be exploited.
When that email reached Kemp’s office, Broce told investigators she thought the attachment was a script that could be used for hacking.
That wasn’t true, according to a GBI digital forensic investigator. The file was “merely a roadmap” of the website’s behavior.
But someone else was probing Georgia’s election websites: the U.S. government. The federal Cybersecurity and Infrastructure Security Agency confirmed it was conducting cyberhygiene scanning to find vulnerabilities, tests that had been approved in advance by Kemp’s office.
Broce, who was both Kemp’s press secretary and a staff attorney, told investigators she was concerned that Wright had “spoofed” internet addresses to make it look like they were coming from DHS. Investigators later confirmed with Homeland Security officials and their network providers that they were the source of the scans.
It remains unclear how Kemp’s staff concluded that the Democratic Party was responsible for a hacking attempt. The party’s only role was that it had forwarded an email about vulnerabilities to two cybersecurity professors at Georgia Tech, including DeMillo, who then alerted authorities. The GBI did not interview Kemp about the case.
“Instead of immediately addressing the problem, it became political. It became an attack on the Democratic Party on the eve of the election,” said David Cross, an attorney for plaintiffs in the election security lawsuit against the state. “I don’t see any way anyone could have a genuine belief there was any hacking done at all, much less by the Democratic Party.”
While publicly denying Wright’s claims about vulnerabilities, behind the scenes, Kemp’s staff was working to correct them.
ProPublica and GPB reported on the day before the election that Kemp’s office was patching problems with the state’s election website, even as Kemp maintained the system was secure. The GBI files confirmed that the My Voter Page was modified to restrict access to vulnerable areas.
The secretary of state’s firewall hadn’t been set up to block access to the locations identified by Wright, according to a GBI agent’s report. Election officials then “set up safeguards to restrict access to the vulnerable areas” on the last two days before the 2018 general election.
ProPublica found at the time that the vulnerability gave access to some nonconfidential information on the My Voter Page, such as a voter’s absentee ballot status. Birthdates, Social Security numbers and driver’s license numbers weren’t available. It wasn’t clear what sensitive information, however, could have been inadvertently accessible before programming errors were fixed.
Even if the security vulnerabilities revealed public information, web pages would have been nonetheless visible to people who shouldn’t have been able to see them. The flaws also exposed details of the computer system that could have given hackers a road map to inflict greater damage.
Georgia election officials and their cybersecurity companies should have detected the problem before Wright brought it to their attention, said Frank Rietta, the CEO of Rietta.com, a web application security firm based in the Atlanta suburb of Alpharetta. Users of the My Voter Page were able to access voter registration information without first logging in.
This type of weakness, called broken access control, is one of the 10 most critical web application security risks, according to the Open Web Application Security Project, an organization that works to improve software security.
“The fact that there’s one vulnerability is an indication that there might have been other vulnerabilities,” Rietta said. “We should want to fix vulnerabilities, not pretend they’re not there until it is exploited by the bad guys.”
When Kemp’s office found out about the problem, Broce repeatedly dismissed it. While some of Wright’s concerns weren’t validated, the GBI files confirmed that anyone could alter web addresses to access other voters’ information on the My Voter Page.
Then Broce said changes to the website were routine, meant to accommodate high traffic prior to Election Day, when in fact election officials were fixing a vulnerability Wright had brought to their attention.
“We make changes to our website all the time,” Broce told ProPublica and GPB at the time. “We always move our My Voter Page to a static page before Election Day to manage volume and capacity. It is standard practice.”
Even after the GBI cleared Wright, Broce said the investigation was appropriate.
Wright declined to comment for this article, but he answered a list of questions for the attorney general’s office about his findings.
“I do not engage in ‘hacking’ activities. I reported the vulnerability that I discovered on the SOS My Voter Webpage because I was concerned that our elections process might not be secure,” Wright wrote.
Broce suspected a Democratic Party plot to undermine Kemp’s credibility, according to an interview with the GBI.
She was also facing questions about security weaknesses from reporters for the website WhoWhatWhy, who she speculated were working with the plaintiffs in the election security lawsuit.
Broce told investigators that cybersecurity companies had identified attempts to exploit voter registration websites, but they weren’t able to verify where the scans came from. Those companies later verified that they originated with Homeland Security.
Soon after WhoWhatWhy published its article alleging that a hacker could compromise Georgia’s election, Broce posted a press release on the secretary of state’s website saying that the office was opening an investigation of the Democratic Party, alleging a hacking attempt.
Ghazal, with the Democratic Party, said in an interview that the party reported the website vulnerabilities but made no effort to publicize them, contact news media or turn them into an attack.