Georgia election server wiped days after lawsuit
Days after activists filed a lawsuit over the security of Georgia’s election systems, the university housing the servers at the center of the case wiped them of all data.
The servers had been in the possession of the Center for Elections Systems (CES) at Kennesaw State University, which had been contracted to maintain Georgia’s election systems. The state ended its relationship with Kennesaw State in July.
According to emails retrieved by one of the plaintiffs in that case through an open records request and provided to The Hill, information technology (IT) staff first confirmed deleting files from the system on July 7 — four days after the suit was filed.
{mosads}In March, the CES was notified by researcher Logan Lamb that a vulnerability in web security allowed attackers to read internal files not meant for public consumption. Those files included voter records which contained the date of birth and Social Security number of 5.7 million Georgians. They also included memos containing credentials to the state’s ExpressPoll brand electronic poll book.
Georgia held a congressional election shortly after, with Republican Karen Handel defeating Democrat John Ossoff. The lawsuit alleges that with the data vulnerable, attackers might have affected the election.
On July 7, an IT staffer sent an email confirming he had used DBAN, a secure file deletion program, to erase the hard drives.
“Per your instructions regarding the reimaging and installation of the CES server, we DBAN’d the hard drives,” an IT staffer emailed to Davide Gaetano, whose LinkedIn profile lists him as “AVP of Educational Technology Engineering Innovation.”
Later, the IT staff subjected hard drives to strong magnetic fields, wiping them of all information.
Plans had been in place since before the lawsuit to decommission the vulnerable server, and there does not appear to have been a legal order to prevent the drives from being deleted.
“It looks bad for them,” said Marilyn Marks, one of the plaintiffs in the suit, who filed the Freedom of Information Act requests to retrieve the files.
“But what we really wanted to have was a forensic investigation to see who accessed the server other than Logan Lamb. Now we don’t have access,” she said.
Kennesaw State University declined to comment to The Hill, citing the pending legal matter.
–This story was updated at 3:08 p.m.
Copyright 2024 Nexstar Media Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed..