A data exposure caught by elections officials in October compromised the personal information of 113,000 Alaskans but had no impact on the actual election results, Lt. Gov. Kevin Meyer said Thursday.
The exposure involved the online voter registration database, which is separate from the voter tabulation system.
“The results of the election are accurate, and we have been doing hand counts to verify that,” Meyer told reporters Thursday.
State officials said “outside actors” accessed the data through a flaw in the online voter registration system, which has since been patched. They were able to pull registered voters’ names, dates of birth, state identification numbers, last four digits of Social Security numbers, addresses and party affiliations. (Party affiliations, names and addresses are already publicly available through the state’s voter information database.)
The online voter registration system, which is only 5 years old, is separate from the overall registered voter database. It only includes people who have updated their voter information in the past five years.
During a press conference Thursday, the state’s chief information security officer, Mark Breunig, declined to answer several questions due to an ongoing investigation into the data exposure.
The state was informed of the exposure by law enforcement, and Meyer said he learned about it Oct. 27. Breunig declined to say which law enforcement agency discovered it.
State officials said the breach was done by “outside actors” but declined to define that term.
Meyer said the reason the state didn’t disclose the incident until now is because when he learned of the exposure, he didn’t know the extent of the damage. The state hired an outside vendor to investigate it, and law enforcement was investigating as well.
“We are now at that point where we feel confident that we have a pretty good handle on the number of people who have been impacted,” he said.
In a statement, Division of Elections director Gail Fenumiai said the state believes the data has only been used for propaganda. But when asked if propaganda was distributed and for a description of the propaganda, state officials did not have clear answers.
“I think this is more just a belief on our part, than I can say factually,” Meyer said.
Also in October, some Alaskans received an email attempting to intimidate voters. Federal authorities said voters in several states were targeted, and later said Iran was behind the attack. But it is not clear if the two incidents are related. When asked if that attack is connected to the data exposure announced Thursday, Breunig declined to answer, saying it was an ongoing investigation.
The state is mailing a notification to everyone who is believed to be affected. On Thursday, the state said people can also call 1-833-269-0003 to ask questions or check to see if their information was compromised. However, later on Thursday, a division of elections spokeswoman said the division was having issues with that phone number and said a different number was available in the interim: 1-877-375-6508.
People whose information was compromised will get free credit and identity theft monitoring and other services, including $25,000 in identity theft insurance.
State officials said they do not believe that any economic information was compromised. Chief Assistant Alaska Attorney General Cori Mills said the state checked and found there has not been any increase in identity theft since the information was taken.
“We don’t see this as any more concerning — from a breach perspective, identity theft perspective — as any other notification you may hear from a larger corporation where this happens,” she said.
Meyer said almost as many Alaskans voted by mail or early as did on Election Day. Because of a delayed count in early votes, the outcomes of some races changed significantly after mail-in ballots were processed. This caused some people to question the results, Meyer said, which is why he called for an audit of voting on Ballot Measure 2.
Meyer reiterated several times during the news conference that the breach did not affect the election results and said there is no sign of voter fraud or any other such issues.
When asked if the data exposure aimed to help one political party, he said, “I don’t think we have any evidence either way.”