Kris Kobach's Office Leaks Last 4 Social Security Digits of Nearly Every Kansas Lawmaker and Thousands of State Employees, Including Kris Kobach
This is starting to just get sad.
Prior to receiving notice from Gizmodo this morning, Kris Kobach's office was leaking sensitive information belonging to thousands of state employees, including himself and nearly every member of the Kansas state legislature.
Among a bevy of personal information that, according to a statement on the website, was intended to be public, the Kansas Secretary of State's website was exposing the last four digits of Social Security numbers (known as SSN4) of thousands of current and former candidates for office, as well as thousands, or potentially tens of thousands, of high-ranking state employees at apparently ever Kansas government agency.
The combination of a person's name and SSN4 creates what's commonly called "personally identifiable information," the unauthorized disclosure of which is unlawful under numerous state and federal laws. Putting these statements of substantial interest online without redacting the SSN4 information is beyond reckless; it's stupid.
While scanning the records on the public website, Gizmodo found SSN4 information for employees at the Kansas Departments of State, Transportation, Education, Labor, Health and Environment, and Aging and Disability Services; staff members at Kansas State University, Wichita State University, Pittsburg State University, and the University of Kansas; serving members of the Coordinating Council on Early Childhood Development, the Human Rights Commission, the Board of Veterinary Examiners, and the Behavioral Sciences Regulatory Board; as well as district attorneys, correctional officers, and other law enforcement officials—just to name a few.
Gizmodo notified the Kansas Secretary of State's office of the exposure on Thursday morning, and the site was taken down within roughly an hour. A request for comment was not returned.
The forms, known as "statements of substantial interests," are required for every state employee of note—legislators, state officers, and members of boards, councils and commissions—and various candidates for office. Under Kansas state law, these individuals are required to disclose any substantial financial interests they have in any businesses or interests held by their spouses.
In the interest of accountability, the information added to those forms is supposed to be public record. But the form itself also includes an "optional" field that asks for the last four digits of the employee's Social Security number, explicitly for one purpose: to aid the state in properly identifying individuals whose full names may be shared by other state employees.
Gizmodo identified 106,834 such forms on the Kansas government website, though it's not immediately clear how many contained SSN4 information. A single individual might have multiple forms; some only had one, others had eight. But at least several thousand Kansans are exposed, including Kobach himself and Bryan Caskey, the Kansas director of elections, as well as Derek Schmidt, the director of the Kansas Bureau of Investigations.
Based on the overall number of records and what appears to be the average number of records per individual, it is likely that the database contains paperwork on tens of thousands of unique individuals. The records date back to at least 2005, before the substantial interests form was digitized. Paper records from before digitization were also made available for download.
Examining all of the records would likely take weeks, so to get a rough idea of how many of the forms contain SSN4 information, Gizmodo examined paperwork for 165 individuals whose information had been put online by Kobach's office—specifically, we examined documents on every member of the Kansas state legislature.
It became quickly apparent that counting the number of lawmakers who were not exposed would be far easier than counting those who were: Ninety percent of the Kansas state legislature included SSN4 information on their forms, including 117 out of 125 state representatives and 34 out of 40 state senators. (Previous state lawmakers were also found in the database dating back several years.)
This exposure of personally identifiable information is a stupid and easily avoidable mistake, which has likely gone on for several years. While the site—which is intended for public access—did have a login page, which anyone could use to register a username and password to access the records, doing so was unnecessary. Because of the site's terrible design, anyone who knew the URL for the search page didn't need to provide the Secretary of State's office with any information whatsoever before viewing the forms.
Kobach, the Republican frontrunner in the Kansas gubernatorial election, has been secretary of state since 2011, when it appears the records were first digitized. (It's difficult to say because some state employees, for whatever reason, have continued submitting paper forms to this day.)
Kobach's office has spent the past few weeks trying to convince the Kansas legislature that it is, in fact, equipped to handle voluminous amounts of sensitive voter records. The interstate Crosscheck program, which is overseen by Kobach's office, has lost control over voter data—including partial Social Security numbers—on several occasions over the past six months. Most recently, nearly 1000 Kansans were exposed after data amassed for the Crosscheck program was mistakenly leaked in Florida.
Kobach is a notorious exaggerator and recently claimed that the Crosscheck program is absolutely essential to the safeguarding the integrity of the nation's voter rolls. "If the Crosscheck program were to go away, then we would be unable to catch virtually all of the double voters," he told the Wichita Eagle, adding: "there are thousands of them across the country." But truthfully, there are other programs that serve the same purpose, such as the one administered by the Electronic Registration Information Center, which hasn't suffered any apparent data leaks and is based on a methodology founded by actual data scientists.
Kobach is currently running for governor of Kansas. As part of his campaign, he frequently lobs attacks at the Kansas legislature, claiming as governor he would "drain the swamp" and dispense with a "culture of corruption." Likely, none of the legislators will be too happy to learn today that the secretary's office has long put them at risk of identity theft.
Last year, Kobach was named as vice chairman of President Trump's commission on voter integrity, which was forced to shut down this month amid a flurry of lawsuits, including one brought by one of the panel's own members, who had claimed that Kobach was concealing information about the commission's activities from its Democratic members.
Update, 2:18pm: The Kansas Secretary of State's office sent Gizmodo the following statement, in which it is argued that the sensitive information had to be released by law, but was removed from the website anyway. The office will still release partial Social Security numbers to members of the public if they request it in person.
Under Kansas law, public servants and candidates for state office are required to disclose certain information so the public is aware of any financial interests they hold. This form is called a Statement of Substantial Interest (SSI). The Kansas Governmental Ethics Commission has the authority over what information is requested and what is made public. The Kansas Secretary of State's office is required by statute to make the information requested by the Ethic's Commission publicly available.
Kansas Secretary of State Kris Kobach does not believe that the last four of a person's social security number should be part of this publicly available information. However currently Kansas law requires the entire SSI to be released. Secretary Kobach has has taken all statements off of the office website. The statements are still available for someone to request in person pursuant to Kansas statute.
Secretary Kobach takes security measures very seriously and is looking for a solution that would allow this sensitive information to be redacted, while still following the rule of law. SSIs are an important tool in ensuring government transparency and any solution should reflect this fact.
Questions regarding the information requested in an SSI should be directed to the Kansas Governmental Ethics Commission.