Fired state worker speaks out after Georgia data breach report

Kemp has also hired Deloitte to do an independent audit of his office’s IT operations, policies, procedures and system security. That effort will cost about $400,000 and is expected to be finished by early April.

The state employee fired over a massive data breach by the Georgia Secretary of State’s Office said Tuesday “it was just a kick in the teeth” to be blamed for the gaffe involving the release of more than 6 million voters’ private data.

Longtime state programmer Gary Cooley took the brunt of the blame in a report released late Monday by the office and the state Department of Human Resources —the first full accounting by the state of what happened.

"I was very disappointed, because of the fact that I have put in 20 years in that office night and day working on large, successful, high-profile projects," Cooley said in his first comments about the report, which accused him of flouting office protocol and policy in a series of events that led to the breach.

The report provides new details into the breach, but also confirmed much of a narrative provided by Cooley two weeks ago exclusively to The Atlanta Journal-Constitution.

Among key points in the report, Cooley is said to have shared his user ID with another employee, Kevin Reaves, who was then able to access the statewide public voter file. After an outside vendor tasked with managing voter data accidentally posted the sensitive data to that file, the report said Cooley did not notify anyone of the mistake.

“I did not give my personal credentials to (another) employee,” Cooley said. “There were generic credentials created by the vendor…so that the elections division would be able to access the statewide voter file for public distribution.”

"On Oct. 13th, when I found out what mistake the vendor made by adding the sensitive fields to the…voter file, I immediately checked the system to see if the file had been downloaded," Cooley said. "From what I was seeing in the system, it didn't appear that the file had been downloaded, so the vendor corrected their mistake and created a test file for review. At this point I thought we did not have an issue."

What Cooley did not know is that Reaves had burned it onto compact discs. It is a routine action, since the discs are mailed monthly to groups, including the AJC,that regularly subscribe to “voter lists” maintained by the state. In all, 12 organizations received those discs, including state political parties, news media organizations and Georgia GunOwner Magazine.

“The employee in the elections division that puts the file on the CDs broke the security protocol by downloading the file to his personal hard drive,” Cooley said. “He broke the audit trail. He created the 12 CDs from that copy of the file on his hard drive.”

“I was told when the election division employee’s boss asked him why he didn’t check the file before he mailed it out to the public, he said because the file was too big to pull up,” Cooley said. “The fact that this employee answered the question that way should tell us that he knew he was supposed to check the file but decided on his own not to.”

The report blamed Cooley for not providing the office a way to read big data files, including the voter file. Cooley said that assertion was ridiculous.

Cooley said any employee could see a sample of the data — a large number of rows, in this case — which still would have allowed Reaves to see that the voter file contained confidential data if he had opened it using Microsoft Excel.

“I didn’t add the three sensitive fields to the file,” Cooley said. “I didn’t put the file on the CDs. I didn’t send the file out to the public.”

Cooley said he found out about the data breach on the same day, Nov. 13, as the office did “when my boss, Merritt Beaver, called me around 5 p.m. that evening,” he said.

Kemp has said all 12 data discs have either been recovered or destroyed.