Kris Kobach’s Office Put Thousands of State Employees’ Partial Social Security Numbers Online

This is a bad look for the man who wants data on every voter in the country.

Kansas Secretary of State Kris Kobach launches his campaign for the Republican nomination for governor in June 2017. John Hanna/AP File

Fight disinformation: Sign up for the free Mother Jones Daily newsletter and follow the news that matters.

The office of Kansas Secretary of State Kris Kobach, which controls sensitive information on millions of American voters through the Interstate Crosscheck Program, posted online the partial Social Security numbers of thousands of state employees and politicians—including Kobach’s own. It’s the latest in a series of security breaches involving Kobach, a candidate for governor this year who ran President Donald Trump’s election integrity commission until it folded earlier this month.

Many Kansas state employees and candidates for office must fill out a public disclosure form to document financial or business interests that could pose a conflict of interest. The form includes an optional field asking for the last four digits of their Social Security numbers, known as an SSN4, to help the state can differentiate between state employees with similar names. Kobach’s office posted more than 100,000 of these forms on its website, Gizmodo’s Dell Cameron discovered. The combination of name and SSN4 can be cross-referenced against previously hacked databases, such as the massive Yahoo breach in 2013, allowing hackers to identify, locate, hack, steal the identities of, and, in some extreme cases, blackmail those exposed.

Kobach is the nation’s most vocal proponent of restrictive voting laws, and together with his allies on the election commission, he sought to generate evidence of voter fraud in order to promote these laws. He led an attempt by the commission to collect personal data on every voter in America but was partly or fully rebuffed by nearly every state government. He has faced mounting questions in recent weeks over security breaches and privacy concerns with Crosscheck, a system that compares voter registration data from more than 30 states and flags matches that suggest a person is registered in more than one state. Studies have shown that Crosscheck produces false positives at the alarming rate of 99 percent.

Not only is Crosscheck’s data unreliable; it’s also not secure. As Mother Jones reported this fall, Crosscheck has been uploading data files over unsecured systems and emailing login credentials back and forth. This means that Crosscheck—along with the data on millions of voters it contains—is vulnerable to hacking. As Shawn Davis, director of digital forensics at Edelson PC, a Chicago-based law firm specializing in technology issues, explained to Mother Jones:

If a hacker sent a “phishing email” to Kansas pretending to be from another state that’s part of Crosscheck, Davis says, he or she could potentially get access to the voter files of every state participating in Crosscheck. That information could be stolen, released, or even modified, Davis says. “It’s not very secure at all,” he says of Crosscheck.

This and other revelations, including the leak of SSN4 information in Florida, pushed Kobach’s office to improve security this year. Researchers still believe that Crosscheck data is significantly exposed to hacking. If states can’t trust Kobach with their data, some could withdraw from the program.

Following an inquiry from Gizmodo, Kobach’s office took the information down from its website, but it admitted no wrongdoing, noting that Kansas law requires making the forms publicly available. But Kobach’s office clearly dealt carelessly with the information, even if it didn’t break any laws. As Gizmodo discovered, the website purportedly required a password to access the records, but anyone with the URL could circumvent the login process. Moreover, Kobach’s office could have realized that it was problematic to ask for SSN4s on publicly available forms and pushed to revise the form.

WHO DOESN’T LOVE A POSITIVE STORY—OR TWO?

“Great journalism really does make a difference in this world: it can even save kids.”

That’s what a civil rights lawyer wrote to Julia Lurie, the day after her major investigation into a psychiatric hospital chain that uses foster children as “cash cows” published, letting her know he was using her findings that same day in a hearing to keep a child out of one of the facilities we investigated.

That’s awesome. As is the fact that Julia, who spent a full year reporting this challenging story, promptly heard from a Senate committee that will use her work in their own investigation of Universal Health Services. There’s no doubt her revelations will continue to have a big impact in the months and years to come.

Like another story about Mother Jones’ real-world impact.

This one, a multiyear investigation, published in 2021, exposed conditions in sugar work camps in the Dominican Republic owned by Central Romana—the conglomerate behind brands like C&H and Domino, whose product ends up in our Hershey bars and other sweets. A year ago, the Biden administration banned sugar imports from Central Romana. And just recently, we learned of a previously undisclosed investigation from the Department of Homeland Security, looking into working conditions at Central Romana. How big of a deal is this?

“This could be the first time a corporation would be held criminally liable for forced labor in their own supply chains,” according to a retired special agent we talked to.

Wow.

And it is only because Mother Jones is funded primarily by donations from readers that we can mount ambitious, yearlong—or more—investigations like these two stories that are making waves.

About that: It’s unfathomably hard in the news business right now, and we came up about $28,000 short during our recent fall fundraising campaign. We simply have to make that up soon to avoid falling further behind than can be made up for, or needing to somehow trim $1 million from our budget, like happened last year.

If you can, please support the reporting you get from Mother Jones—that exists to make a difference, not a profit—with a donation of any amount today. We need more donations than normal to come in from this specific blurb to help close our funding gap before it gets any bigger.

payment methods

WHO DOESN’T LOVE A POSITIVE STORY—OR TWO?

“Great journalism really does make a difference in this world: it can even save kids.”

That’s what a civil rights lawyer wrote to Julia Lurie, the day after her major investigation into a psychiatric hospital chain that uses foster children as “cash cows” published, letting her know he was using her findings that same day in a hearing to keep a child out of one of the facilities we investigated.

That’s awesome. As is the fact that Julia, who spent a full year reporting this challenging story, promptly heard from a Senate committee that will use her work in their own investigation of Universal Health Services. There’s no doubt her revelations will continue to have a big impact in the months and years to come.

Like another story about Mother Jones’ real-world impact.

This one, a multiyear investigation, published in 2021, exposed conditions in sugar work camps in the Dominican Republic owned by Central Romana—the conglomerate behind brands like C&H and Domino, whose product ends up in our Hershey bars and other sweets. A year ago, the Biden administration banned sugar imports from Central Romana. And just recently, we learned of a previously undisclosed investigation from the Department of Homeland Security, looking into working conditions at Central Romana. How big of a deal is this?

“This could be the first time a corporation would be held criminally liable for forced labor in their own supply chains,” according to a retired special agent we talked to.

Wow.

And it is only because Mother Jones is funded primarily by donations from readers that we can mount ambitious, yearlong—or more—investigations like these two stories that are making waves.

About that: It’s unfathomably hard in the news business right now, and we came up about $28,000 short during our recent fall fundraising campaign. We simply have to make that up soon to avoid falling further behind than can be made up for, or needing to somehow trim $1 million from our budget, like happened last year.

If you can, please support the reporting you get from Mother Jones—that exists to make a difference, not a profit—with a donation of any amount today. We need more donations than normal to come in from this specific blurb to help close our funding gap before it gets any bigger.

payment methods

We Recommend

Latest

Sign up for our free newsletter

Subscribe to the Mother Jones Daily to have our top stories delivered directly to your inbox.

Get our award-winning magazine

Save big on a full year of investigations, ideas, and insights.

Subscribe

Support our journalism

Help Mother Jones' reporters dig deep with a tax-deductible donation.

Donate