Friday, the Maryland election board released a report that says an estimated 600,000 voters’ full Social Security numbers were exposed to potential hacking. The State Board of Elections failed to fully protect the voters’ personal information, according to the report.
The audit also criticized the state election officials for mishandling a variety of issues, including disaster preparedness, balancing and contracting its books and ballot security.
A hearing was called in response to the audits report, which sparked a strong reaction from the board’s administrator, Linda H. Lamone and its critics.
Director of the Center for Health and Homeland Security of the University of Maryland School of Law, Michael Greenberger, said, “This audit is an A-to-Z criticism of the way the board operates.” He went on to say the findings are “damning” and call for board to establish an independent bipartisan commission of computer experts to investigate the board’s handling of data technology issues.
Lamone responded by saying she agreed with many of the findings, but “virtually everything” identified in the report has already been addressed.
“We were working on a lot of these things, even before the auditors came in,” she said.
The auditor’s findings revealed that state election officials kept nearly 592,000 inactive and active voters’ full nine-digit Social Security numbers in its database. The numbers totaled up to almost 15 percent of the state’s 4.1 million registered voters. Only the four last digits of the Social Security number is supposed to be retained in a state’s database. The report also said that the board shared the voters’ personal information, including the last four digits of Social Security numbers and driver’s license numbers with Electronic Registration Information Center (ERIC), a nonprofit that assists the United States identify people that are ineligible to vote, without first ensuring the information was safeguarded.
State officials cooperation with ERIC was not questioned, but the auditors said they had not received satisfactory assurances that the third-party organization and its external contractor were adequately protecting the data.
Lamone said the information provided to ERIC does not contain nine-digit Social Security numbers and the data is encrypted prior to it being sent to the organization. “You can’t get into ERIC data. There’s no way,” she said.
According to the auditors, the state election board permitted too many people to access the database, did not ensure the accuracy its voter registration rolls and permitted voters to be given ballots simply by supplying publicly available information, such as address, date of birth and name.
The agency could not explain why it ended its 2015 budget year with a deficit of $34 million.