UPDATE 10/6: ProPublica, a nonprofit investigative news organization, found that Georgia state officials have rewritten the code on the state's voter registration site -- despite having said no such vulnerability existed.
In the days leading up to the gubernatorial election in Georgia, Republican candidate and Georgia Secretary of State Brian Kemp has alleged the voter registration database has been hacked and has launched an investigation into the Georgia Democratic Party.
However, the lawyer who said he alerted Kemp's office and the FBI to the possible vulnerability in the voting registration database told Atlanta Inno that there is no evidence of a hack, nor that said hack involved the Democratic Party.
Attorney David Cross with Morrison & Foerster, who represents voter advocacy plaintiffs who are suing Kemp’s office in an effort to stop the use of potentially vulnerable voting machines in Georgia elections, said he was the first to notify Kemp's office and the FBI on Saturday that a private citizen had identified a possible vulnerability in the registration database.
Cross said he was contacted by a man named Richard Wright late Friday afternoon about a vulnerability on the voter registration website. Wright told Cross that he noticed the way he was able to access his own voter information suggested to him that others could also access it, and possibly alter it. Meanwhile, independent computer scientists told The Associated Press anyone with access to a voter's personal information could potentially alter that voter's record.
"Meaning if someone wanted to, they could go into the system and probably download all voter registration information, including PII, and maybe alter it for some number of voters," Cross said.
Cross' team tried to identify if there was a vulnerability without accessing anything on the system. By Saturday morning, Cross said he felt that the potential for a threat seemed legitimate enough to contact the authorities.
"We alerted the FBI. I alerted Secretary Kemp’s office through his outside counsel, who I spoke to directly, and what we conveyed was that there might be a vulnerability here, we don’t know and we think Kemp’s office needs to put their own election security people on this, investigate it and figure out if it is real, and if it is, fix it," Cross said. "I provided on Saturday the name and phone number for Richard Wright and encouraged them to reach out to him to begin an investigation. The next thing I knew, there was an article in the AJC announcing Kemp was claiming without any evidence that the Democrats had tried to hack the election, and I’m not aware of anything at all the support that."
"This is about a concerned voter who identified what could be a very serious vulnerability and instead of investigating it, it looks like Kemp decided to spin the story and put on a narrative that focused on the Democratic Party instead of his own failings."
According to Cross, who spoke with Atlanta Inno shortly after noon on Monday, no one from Kemp's office has contacted Wright since being alerted to the vulnerability on Saturday. Despite being on notice of the vulnerability and receiving encouragement from the FBI to investigate the potential threat, Cross said he has seen no indication the Secretary of State's office has launched an investigation.
"No effort has been made to investigate what [Richard Wright] discovered or what he did," he said. "Which also raises a serious question about the veracity of their claim on Saturday night that there’s been no breach of the database---of the data on their website. How could they possibly know that without even talking to the person who raised this vulnerability? They have no idea what Richard Wright did or did not did not do, or what he found. They didn’t talk to him. And they have no way of knowing whether anyone else has exploited that vulnerability, so that statement doesn’t appear to have any basis of fact at all."
Atlanta Inno contacted Atlanta's FBI field office spokesperson Kevin Rowson Monday morning, who said the agency would not comment on the matter.
Representatives from Kemp's office did not respond to requests for comment prior to deadline Monday afternoon. In comments made to the AJC earlier on Monday, Kemp defended his decision to investigate but offered no evidence implicating the Democratic Party.
Cross said he understood the database contains sensitive information such as driver's license numbers, dates of birth and partial social security numbers, along with names and addresses of voters.
"I’m the one who brought this to their attention, both through the FBI and through their counsel," he said. "And if you look at the statement that (sic) came out of him most recently, he said that they opened the hacking investigation based on information provided to their lawyers. The only people I know who spoke to their lawyers, it wasn’t the Democratic Party, it was me. And I didn’t mention the Democratic Party because the Democratic Party has literally nothing at all the do with this."
Members of the Democratic Party only became involved, Cross said, when Wright also contacted them about the vulnerability as a second avenue to alert authorities. Based on the emails that have been released by local Democratic representatives, Cross said they simply forwarded Wright's emails to Kemp's cybersecurity election expert.
"Everyone absolutely should go vote tomorrow."
"If they’re relying on what their lawyers told them, that’s what I told them," he said. "And it didn’t involved the Democratic Party at all. That wasn’t something that came up in our conversation, nor would it. This is about a concerned voter who identified what could be a very serious vulnerability and instead of investigating it, it looks like Kemp decided to spin the story and put on a narrative that focused on the Democratic Party instead of his own failings."
Despite a potential vulnerability, Cross still encouraged people to go to the polls on Tuesday. He suggested voters double check their registration information at My Voter Page and alert Kemp's office if anything listed was inaccurate. If voters run into problems at the polls, they can cast a provisional ballot, he said.
"Everyone absolutely should go vote tomorrow," he said.
A spokesperson for Kemp's office was quoted by the New York Times stating the investigation was triggered by an email the Secretary of State's office had received where a woman named Rachel Small was “talking about trying to hack the Secretary of State’s system,” and sent to the Democrats' voter protection director, Sara Ghazal.
The Democratic Party in Georgia released emails on Sunday night, which appear to highlight and find troubling weaknesses in the Georgia election system, the NYT reports.
On Sunday, Kemp formally asked the FBI to investigate the Democratic Party about the alleged hacking.
