Georgia Democrats sue governor over unfounded 2018 hacking claims

A lawsuit seeks to remove two press releases that baselessly accused Democrats of hacking the state's voter registration database after a researcher found severe security flaws.
(Getty Images)

The Georgia Democratic Party on Tuesday sued Gov. Brian Kemp and one of the governor’s top aides over accusations that Kemp made in 2018, while he was serving as secretary of state, that Democrats had “hacked” the state’s voter registration database.

In the 37-page complaint filed in federal district court, Georgia Democrats argued that Kemp “baselessly” alleged that the party was “under investigation for possible cyber crimes” just days before an election in which Kemp was the Republican nominee for governor, while also serving as the state’s top election official. Kemp’s office issued press releases asserting that the Democrats had attempted to illegally access the voter database, and that the party was being investigated by the secretary of state’s office as well as state and federal law enforcement.

Along with Kemp, the lawsuit also named his spokesperson at the time, Candice Broce, who now serves as chief operating officer in the governor’s office. Both press releases remain published on the website of the secretary of state’s office, which is now occupied by Brad Raffensperger.

But Kemp’s accusations were picked apart within days. The alleged “hacking” occurred when a Georgia resident researching election security discovered a flaw in the secretary of state’s website that allowed users to easily download the personally identifiable information of any registered voter, including partial Social Security numbers, the Democrats’ suit reads. That resident, who was not affiliated with the Democratic Party, alerted an election lawyer in Washington, D.C., who in turn notified the Georgia party and Kemp’s attorneys.


The website’s flaws were also reported by a nonprofit voting rights organization and the FBI, according to the lawsuit, and the Georgia Bureau of Investigation cleared the individual who found the flaw of any wrongdoing.

But the flaws discovered were serious. Harri Hursti, an organizer of the DEF CON conference’s Voting Village, is quoted in the complaint as describing the Georgia voter database findings as “the equivalent of having the bank safe door open.”

The flaws were quickly patched, though ProPublica reported at the time that Kemp’s office made the fixes without much public acknowledgment.

At the time, cybersecurity analysts were quick to mock Kemp. Adam Levin of CyberScout told StateScoop that Kemp’s accusation was “outrageous” and a “shiny object” designed to distract from the gubernatorial election. It was also not the first time Kemp had mistaken ordinary network behavior for malicious activity: In 2016, he accused the Department of Homeland Security of hacking his office’s networks, which turned out to be a false alarm set off by a DHS employee verifying a professional license.

But the Georgia Democrats argue in the suit that the 2018 press releases continue to harm the party as long as they remain available on the secretary of state’s website. The party is is asking for less than $20 in financial damages, as the suit primarily demands the press releases’ removal.


Neither Kemp or Broce have responded to the suit yet, and Georgia Democrats did not respond to a request for comment.

Benjamin Freed

Written by Benjamin Freed

Benjamin Freed was the managing editor of StateScoop and EdScoop, covering cybersecurity issues affecting state and local governments across the country. He wrote extensively about ransomware, election security and the federal government’s role in assisting states and cities with information security.

Latest Podcasts