ATLANTA (AP) — Georgia’s online voter database morphed into a last-minute curveball in one of the nation’s hottest governor’s races, with Republican nominee Brian Kemp making a hacking allegation against Democrats just as reporting emerged of a gaping vulnerability in a system that Kemp controls as secretary of state.
Kemp’s office did not detail any nefarious acts by Democrats, offering no evidence for Sunday’s unusual action that effectively means the state’s chief elections officer began a probe of his partisan opposition days before an election.
Polls suggest Kemp and Democrat Stacey Abrams are locked in a tight race that even before Sunday had evolved into a bitter back-and-forth over voting rights and ballot security.
The state Democratic Party called Kemp’s accusation “a reckless and unethical ploy” and said he was using the FBI to support “false accusations.”
According to interviews conducted by The Associated Press and records released by the Georgia Democratic Party, the saga built steam quickly in the days before Kemp’s statement.
An attorney who represents election-security advocates already suing Kemp over his job performance said a private citizen alerted him Friday to a suspected major flaw in the voter database that is used to check in voters in Tuesday’s midterm.
The lawyer, David Cross, notified both the FBI and Kemp’s counsel Saturday morning. But the citizen had separately informed the Georgia Democratic Party, whose voter protection chief then sent an email to two computer security officials.
“If this report is accurate, it is a massive vulnerability,” wrote the official, Sara Tindall Ghazal. Party officials provided the AP with the email, its recipients’ names redacted.
Neither Cross nor the state party went public.
But reporters for the online news outlet WhoWhatWhy obtained a copy of the Ghazal email and the email that Democratic Party officials received from the private citizen who discovered the flaw, Richard Wright.
They published a story Sunday just as Kemp’s office released the statement accusing the Democrats of attempted hacking. “While we cannot comment on the specifics of an ongoing investigation, I can confirm that the Democratic Party of Georgia is under investigation for possible cybercrimes,” said Candice Broce, who works for Kemp.
Rebecca DeHart, executive director at the state Democratic Party, said no one from Kemp’s office notified the Democratic Party or asked any question about the correspondence before issuing its public announcement of an investigation. DeHart called it a “political stunt” to cover up the weaknesses in a system Kemp runs.
WhoWhatWhy’s story said five security experts had reviewed the Wright complaint and independently confirmed that the database is vulnerable to hacking.
One of those experts, University of Michigan computer scientist Matthew Bernhard, told the AP that anyone with access to an individual voter’s personal information could alter that voter’s record in the system.
Another computer security professional who reviewed the vulnerability — without attempting to probe it for fear of prosecution — is Kris Constable of PrivaSecTech in Vancouver, Canada. “Anyone with security chops would have detected this problem,” he said, “so (the system) clearly has never been audited by any computer security professional.”
The FBI declined to comment on the matter. A representative for the Department of Homeland Security confirmed the agency had been notified, but it deferred to Georgia officials for details.
Cross, the attorney who said he alerted the FBI, said Wright doesn’t wish to speak publicly. Cross described Wright as a businessman with “some background in software.”
The Coalition for Good Governance, a plaintiff in the voting integrity lawsuit against Kemp, issued a statement decrying his outsourcing of the the voter registration database and electronic poll book voter check-in system to a third party, PCC Technologies.
“There are still immediate steps that Secretary Kemp and the State Election Board can take to mitigate some, but not all, of the risk for Tuesday’s vote,” the group said.
Efforts to reach PCC for comment have not been successful.
The drama played out on a day Kemp campaigned alongside President Donald Trump in Macon. Trump made no mention of the issue at the rally and earlier, as he left the White House for Georgia, said he didn’t know anything about it.
The finger-pointing is the latest turn in a campaign whose final weeks have been dominated by charges of voter suppression and countercharges of attempted voter fraud.
Abrams, who would be the nation’s first black female governor, has called Kemp “an architect of voter suppression” and says he’s used his current post to make it harder for certain voters to cast ballots. Kemp counters that he’s following state and federal law and that it’s Abrams and her affiliated voting advocacy groups trying to help people, including noncitizens, cast ballots illegally.
The atmosphere has left partisans and good-government advocates alike worrying about the possibility that the losing side will not accept Tuesday’s results as legitimate.
The accusation is not the first from Kemp accusing outsiders of trying to penetrate his office. Immediately after the 2016 general election, Kemp declared that DHS tried to hack his office’s network, an accusation dismissed in mid-2017 by the DHS inspector general as unfounded.
Even before he was running for governor, Kemp faced criticism over Georgia’s election system.
Georgia’s centrally managed elections system lacks a verifiable paper trail that can be audited in case of problems. The state is one of just five nationwide that continues to rely exclusively on aged electronic voting machines that computer scientists have long criticized as untrustworthy because they are easily hacked and don’t leave a paper trail.
In 2015, Kemp’s office inadvertently released the Social Security numbers and other identifying information of millions of Georgia voters. His office blamed a clerical error.
His office made headlines again last year after security experts disclosed a gaping security hole that wasn’t fixed until six months after it was first reported to election authorities. Personal data was again exposed for Georgia voters — 6.7 million at the time — as were passwords used by county officials to access files.
Kemp’s office laid the blame for that breach on Kennesaw State University, which managed the system on Kemp’s behalf.
In the voting integrity case, a federal judge last month endorsed the plaintiff’s arguments that Kemp has been derelict in his management of the state election system and that it violates voters’ constitutional rights with its lack of verifiability and reliability.
Associated Press writers Michael Balsamo, Colleen Long and Jill Colvin in Washington and Ben Nadler in Atlanta contributed to this report.