Right before the election, Brian Kemp, at the time Georgia’s secretary of state and the Republican candidate for governor, announced an investigation into state Democrats, claiming they’d hacked him. He said he’d alerted federal authorities.
Now, more than two weeks later, Kemp is governor-elect, and the Democrats he accused say they’ve yet to hear a word from any would-be investigators.
“We have not heard from the various acronym agencies that Brian Kemp decided to include in his press release, and we do not expect to hear from them,” Seth Bringman, spokesperson for the Georgia Democratic Party, told BuzzFeed News in an email.
On Nov. 4, two days before Election Day, Kemp’s office issued a press release claiming, without providing evidence, that Georgia Democrats had engaged in a “failed hacking attempt” of the secretary of state’s voter registration system.
“Federal partners, including the Department of Homeland Security and Federal Bureau of Investigation, were immediately alerted,” the release said. It quoted the office’s press secretary, Candice Broce, as saying, “I can confirm that the Democratic Party of Georgia is under investigation for possible cyber crimes.”
The FBI generally doesn’t confirm or deny if an investigation actually exists, and declined to in this instance. DHS doesn’t conduct criminal investigations, but does provide technical support and cybersecurity analysis services upon request, though the secretary of state’s office didn’t do that.
Reached for comment, Broce told BuzzFeed News that it’s actually the Georgia Bureau of Investigation’s newly opened Cyber Crime Center that’s handling the investigation. GBI confirmed the existence of an investigation but declined to share details. Bringman said that the GBI hadn’t contacted any state Democrats either.
“They wouldn’t reach out to the Democratic Party unless they saw some forensic evidence that points back to the Dems,” Sean Kelley, who previously oversaw cybersecurity for the Environmental Protection Agency, told BuzzFeed News.
As a candidate, Kemp campaigned on the allegation in the closing days of the election. “These power-hungry radicals should be held accountable for their criminal behavior,” he said in a press release.
A spokesperson for Kemp, who resigned as secretary of state two days after the election, declined to comment and referred the matter to Broce, who is still the press secretary for acting secretary of state Robyn Crittenden. “I cannot provide additional information. I must refer all further inquiries to GBI,” Broce told BuzzFeed News.
The apparent cause of the secretary of state’s hacking claim started the morning of Nov. 3, when an amateur cybersecurity researcher name Richard Wright emailed a volunteer for state Democrats, Rachel Small, to alert her to a vulnerability in the secretary of state’s My Voter website. Small emailed that to the party’s voter protection director, Sara Ghazal, who then forwarded it to two Georgia Tech professors, one of whom worked on Kemp’s election commission. While the secretary of state’s office denied that such a vulnerability existed, someone soon patched it.
Wright has declined to speak directly with reporters, but said through an intermediary that he also hasn’t been contacted by any federal investigators or the GBI.
Though Broce declined to share specifics of the investigation with BuzzFeed News, a text she sent to some reporters indicates it was small. Soon after Kemp’s accusation, Broce texted reporters Kemp’s apparent lead: “The FBI is looking for information on ‘Rachel Small.’ We welcome any information about this person’s identity or motives to provide to federal authorities. Who is Rachel Small? Is that her real name, and for whom does she work? Why was she talking about trying to hack the Secretary of State’s system with Sara Ghazal, the Democratic Party of Georgia’s Voter Protection Director?”
Kemp has previously made false hacking accusations. In 2016, he claimed DHS had hacked his secretary of state website. That prompted a federal inspector general investigation, which found that the culprit was a federal employee checking Georgia’s firearms license database.
Richard Wright’s name was misstated and Sean Kelley’s name was misspelled in an earlier version of this post.