Photo: AP

This is starting to get sad.

Prior to receiving notice from Gizmodo this morning, Kris Kobach’s office was leaking sensitive information belonging to thousands of state employees, including himself and nearly every member of the Kansas state legislature.

Advertisement

Along with a bevy of personal information contained in documents that, according to a statement on the website, was intended to be public, the Kansas Secretary of State‚Äôs website left exposed the last four digits of Social Security numbers (SSN4) belonging to numerous current and former candidates for office, as well as thousands‚ÄĒpotentially tens of thousands‚ÄĒof high-ranking state employees at virtually ever Kansas government agency.

The combination of a person‚Äôs name and SSN4 creates what‚Äôs commonly called ‚Äúpersonally identifiable information,‚ÄĚ the unauthorized disclosure of which is unlawful under numerous state and federal laws. Putting these statements of substantial interest online without redacting the SSN4 information is beyond reckless; it‚Äôs stupid.

While scanning the documents on the public website, Gizmodo found SSN4 information for employees at the Kansas Departments of State, Transportation, Education, Labor, Health and Environment, and Aging and Disability Services; staff members at Kansas State University, Wichita State University, Pittsburg State University, and the University of Kansas; serving members of the Coordinating Council on Early Childhood Development, the Human Rights Commission, the Board of Veterinary Examiners, and the Behavioral Sciences Regulatory Board; as well as district attorneys, correctional officers, and other law enforcement officials‚ÄĒjust to name a few.

Advertisement

Gizmodo notified the Kansas Secretary of State’s office of the exposure on Thursday morning, and the site was taken down within roughly an hour. A request for comment was not returned.

The documents, known as ‚Äústatements of substantial interests,‚ÄĚ are required to be filled out by every state employee of note‚ÄĒlegislators, state officers, and members of boards, councils and commissions‚ÄĒand various candidates for office. Under Kansas state law, these individuals are required to disclose any substantial financial interests they have in any businesses or interests held by their spouses.

In the interest of accountability, the information added to those forms is supposed to be public record. But the form itself also includes an ‚Äúoptional‚ÄĚ field that asks for the last four digits of the employee‚Äôs Social Security number, explicitly for one purpose: to aid the state in properly identifying individuals whose full names may be shared by other state employees.

Advertisement

Gizmodo identified 106,834 such forms on the Kansas government website, though it’s not immediately clear how many contained SSN4 information. A single individual might have multiple forms; some only had one, others had eight. But at least several thousand Kansans are exposed, including Kobach himself and Bryan Caskey, the Kansas director of elections, as well as Kirk Thompson, the director of the Kansas Bureau of Investigations.

Screenshot of Kris Kobach’s form containing SSN4 previously exposed on the Kansas Secretary of State’s website.

Based on the overall number of records and what appears to be the average number of records per individual, it is likely that the database contains paperwork on tens of thousands of unique individuals. The records date back to at least 2005, before the substantial interests form was digitized. Paper records from before digitization were also made available for download.

Advertisement

Examining all of the records would likely take weeks, so to get a rough idea of how many of the forms contain SSN4 information, Gizmodo examined paperwork for 165 individuals whose information had been put online by Kobach‚Äôs office‚ÄĒspecifically, we examined documents on every member of the Kansas state legislature.

It became quickly apparent that counting the number of lawmakers who were not exposed would be far easier than counting those who were: Ninety percent of the Kansas state legislature included SSN4 information on their forms, including 117 out of 125 state representatives and 34 out of 40 state senators. (Previous state lawmakers were also found in the database dating back several years.)

This exposure of personally identifiable information is a stupid and easily avoidable mistake, which has likely gone on for several years. While the site‚ÄĒwhich is intended for public access‚ÄĒdid have a login page, which anyone could use to register a username and password to access the records, doing so was unnecessary. Because of the site‚Äôs terrible design, anyone who knew the URL for the search page didn‚Äôt need to provide the Secretary of State‚Äôs office with any information whatsoever before viewing the forms.

Advertisement

Kobach, the Republican frontrunner in the Kansas gubernatorial election, has been secretary of state since 2011, when it appears the records were first digitized. (It’s difficult to say because some state employees, for whatever reason, have continued submitting paper forms to this day.)

Kobach’s forms date back to 2010. There were more than 106,800 records, but long-term employees have multiple files.

Kobach‚Äôs office has spent the past few weeks trying to convince the Kansas legislature that it is, in fact, equipped to handle voluminous amounts of sensitive voter records. The interstate Crosscheck program, which is overseen by Kobach‚Äôs office, has lost control over voter data‚ÄĒincluding partial Social Security numbers‚ÄĒon several occasions over the past six months. Most recently, nearly 1000 Kansans were exposed after data amassed for the Crosscheck program was mistakenly leaked in Florida.

Advertisement

Kobach is a notorious exaggerator and recently claimed that the Crosscheck program is absolutely essential to the safeguarding the integrity of the nation‚Äôs voter rolls. ‚ÄúIf the Crosscheck program were to go away, then we would be unable to catch virtually all of the double voters,‚ÄĚ he told the Wichita Eagle, adding: ‚Äúthere are thousands of them across the country.‚ÄĚ But truthfully, there are other programs that serve the same purpose, such as the one administered by the Electronic Registration Information Center, which hasn‚Äôt suffered any apparent data leaks and is based on a methodology founded by actual data scientists.

Kobach is currently running for governor of Kansas. As part of his campaign, he frequently lobs attacks at the Kansas legislature, claiming as governor he would ‚Äúdrain the swamp‚ÄĚ and dispense with a ‚Äúculture of corruption.‚ÄĚ Likely, none of the legislators will be too happy to learn today that the secretary‚Äôs office has long put them at risk of identity theft.

Last year, Kobach was named as vice chairman of President Trump’s commission on voter integrity, which was forced to shut down this month amid a flurry of lawsuits, including one brought by one of the panel’s own members, who had claimed that Kobach was concealing information about the commission’s activities from its Democratic members.

Advertisement

Update, 2:18pm: The Kansas Secretary of State’s office sent Gizmodo the following statement, in which it is argued that the sensitive information had to be released by law, but was removed from the website anyway. The office will still release partial Social Security numbers to members of the public if they request it in person.

Under Kansas law, public servants and candidates for state office are required to disclose certain information so the public is aware of any financial interests they hold. This form is called a Statement of Substantial Interest (SSI). The Kansas Governmental Ethics Commission has the authority over what information is requested and what is made public. The Kansas Secretary of State’s office is required by statute to make the information requested by the Ethic’s Commission publicly available.

Kansas Secretary of State Kris Kobach does not believe that the last four of a person’s social security number should be part of this publicly available information. However currently Kansas law requires the entire SSI to be released. Secretary Kobach has has taken all statements off of the office website. The statements are still available for someone to request in person pursuant to Kansas statute.

Secretary Kobach takes security measures very seriously and is looking for a solution that would allow this sensitive information to be redacted, while still following the rule of law. SSIs are an important tool in ensuring government transparency and any solution should reflect this fact.

Questions regarding the information requested in an SSI should be directed to the Kansas Governmental Ethics Commission.

Advertisement

Correction: A previous version of this article referred to Derek Schmidt as the director of the Kansas Bureau of Investigations. Schmidt is the attorney general. Kirk Thompson, whose Social Security information was exposed by the Kansas secretary of state, is the director of the Kansas Bureau of Investigations. Gizmodo regrets the error.