Georgia election server wiped days after lawsuit

Georgia election server wiped days after lawsuit
© Getty Images

Days after activists filed a lawsuit over the security of Georgia's election systems, the university housing the servers at the center of the case wiped them of all data.

The servers had been in the possession of the Center for Elections Systems (CES) at Kennesaw State University, which had been contracted to maintain Georgia's election systems. The state ended its relationship with Kennesaw State in July. 

According to emails retrieved by one of the plaintiffs in that case through an open records request and provided to The Hill, information technology (IT) staff first confirmed deleting files from the system on July 7 — four days after the suit was filed. 

ADVERTISEMENT
In March, the CES was notified by researcher Logan Lamb that a vulnerability in web security allowed attackers to read internal files not meant for public consumption. Those files included voter records which contained the date of birth and Social Security number of 5.7 million Georgians. They also included memos containing credentials to the state's ExpressPoll brand electronic poll book.

Georgia held a congressional election shortly after, with Republican Karen Handel defeating Democrat John Ossoff. The lawsuit alleges that with the data vulnerable, attackers might have affected the election. 

On July 7, an IT staffer sent an email confirming he had used DBAN, a secure file deletion program, to erase the hard drives. 

"Per your instructions regarding the reimaging and installation of the CES server, we DBAN'd the hard drives," an IT staffer emailed to Davide Gaetano, whose LinkedIn profile lists him as "AVP of Educational Technology Engineering Innovation."

Later, the IT staff subjected hard drives to strong magnetic fields, wiping them of all information. 

Plans had been in place since before the lawsuit to decommission the vulnerable server, and there does not appear to have been a legal order to prevent the drives from being deleted.

"It looks bad for them," said Marilyn Marks, one of the plaintiffs in the suit, who filed the Freedom of Information Act requests to retrieve the files.

"But what we really wanted to have was a forensic investigation to see who accessed the server other than Logan Lamb. Now we don’t have access," she said.

Kennesaw State University declined to comment to The Hill, citing the pending legal matter.

Georgia Secretary of State Brian Kemp (R) said in a statement his office had opened an investigation into the files being deleted and was working with the FBI to retrieve copies of the hard drives made when the FBI investigated the original announcement of security vulnerabilities. Kemp said  Kennesaw State did not inform his office they planned to wipe the drives. 
 
"The Secretary of State's office had no involvement in this decision, and we would never direct someone to take such action," he said. 
 
"This pattern of reckless behavior is exactly why we are ending our relationship with KSU and the Center for Elections Systems and moving functionality in-house," he continued. 

--This story was updated at 3:08 p.m.