ATLANTA — Georgia's online voter database morphed into a last-minute curveball in one of the nation's hottest governor's races, with Republican nominee Brian Kemp making a hacking allegation against Democrats just as reports emerged of a gaping vulnerability in a system that Kemp controls as secretary of state.
An attorney for election-security advocates suing Kemp in his role as Georgia's chief elections officer notified the FBI and Kemp's office on Saturday that a private citizen alerted him to what could be a major flaw in the database used to check in voters at the polls. Independent computer scientists told The Associated Press that it enables anyone with access to an individual voter's personal information to alter that voter's record.
In response, Kemp asked the FBI on Sunday to investigate the Democratic Party for trying to hack the system.
Kemp's office did not detail any Democratic acts, offering no evidence for beginning a probe of his partisan opposition days before an election.
Democrat Stacey Abrams told ABCNEWS on Monday that she believes her opponent "cooked up the charge, because he realizes, once again, he left the personal information of six million voters vulnerable. This has happened twice before."
"This is another failure of his leadership, and he recognizes that if he got caught two days before the election having exposed so many Georgians, he would lose, so he did what he always does always, blame someone else for his mistakes," she said.
Polls suggest Kemp and Abrams are locked in a tight race that already evolved into a bitter back-and-forth over voting rights and ballot security.
The state Democratic Party called Kemp's accusation "a reckless and unethical ploy" and said he was using the FBI to support "false accusations."
According to AP interviews and records released by the Georgia Democratic Party, the lawyer for the election-security advocates, David Cross, notified both the FBI and Kemp's counsel Saturday morning that a citizen had alerted him to the flaw. But the citizen had separately informed the Georgia Democratic Party, whose voter protection director then sent an email to two computer security officials.
"If this report is accurate, it is a massive vulnerability," wrote the director, Sara Tindall Ghazal. Party officials provided the AP with the email, its recipients' names redacted.
Neither Cross nor the state party went public.
But reporters for the online news outlet WhoWhatWhy obtained a copy of the Ghazal email and the email that Democratic Party officials received from the private citizen who discovered the flaw, Richard Wright.
Let our news meet your inbox. The news and stories that matters, delivered weekday mornings.
They published a story Sunday just as Kemp's office released its statement accusing Democrats of attempted hacking.
"While we cannot comment on the specifics of an ongoing investigation, I can confirm that the Democratic Party of Georgia is under investigation for possible cybercrimes," said Candice Broce, who works for Kemp.
Rebecca DeHart, executive director at the state Democratic Party, said no one from Kemp's office notified the Democratic Party or asked any question about the correspondence before issuing its public announcement of an investigation.
WhoWhatWhy's story said five security experts had reviewed the Wright complaint and independently confirmed that the database is vulnerable to hacking.
One of those experts, University of Michigan computer scientist Matthew Bernhard, told the AP that anyone with access to an individual voter's personal information could alter that voter's record in the system.
Another computer security professional who reviewed the vulnerability — without attempting to probe it for fear of prosecution — is Kris Constable of PrivaSecTech in Vancouver, Canada. "Anyone with security chops would have detected this problem," he said, "so (the system) clearly has never been audited by any computer security professional."
The FBI declined to comment. A representative for the Department of Homeland Security confirmed the agency had been notified, but it deferred to Georgia officials for details.
Cross said Wright, a businessman with "some background in software," doesn't wish to speak publicly.
The Coalition for Good Governance, a plaintiff in the voting integrity lawsuit against Kemp, issued a statement decrying his outsourcing of the voter registration database and electronic poll book voter check-in system to a third party, PCC Technologies.
"There are still immediate steps that Secretary Kemp and the State Election Board can take to mitigate some, but not all, of the risk for Tuesday's vote," the group said.
Efforts to reach PCC for comment have not been successful.
The drama played out on a day Kemp campaigned alongside President Donald Trump in Macon. Trump made no mention of the issue at the rally, and earlier, as he left the White House for Georgia, said he didn't know anything about it.
The finger-pointing is the latest turn in a campaign whose final weeks have been dominated by charges of voter suppression and countercharges of attempted voter fraud.
In the voting integrity case, a federal judge last month endorsed the plaintiff's arguments that Kemp has been derelict in his management of the state election system and that it violates voters' constitutional rights with its lack of verifiability and reliability.
Abrams, who would be the nation's first black female governor, has called Kemp "an architect of voter suppression" and says he's used his current post to make it harder for certain voters to cast ballots. Kemp counters that he's following state and federal law and that it's Abrams and her affiliated voting advocacy groups trying to help people, including noncitizens, cast ballots illegally.
The atmosphere has left partisans and good-government advocates alike worrying about the possibility that the losing side will not accept Tuesday's results as legitimate.
The accusation is not the first from Kemp accusing outsiders of trying to penetrate his office. Immediately after the 2016 general election, Kemp declared that DHS tried to hack his office's network, an accusation dismissed as unfounded in mid-2017 by the DHS inspector general.
Even before he was running for governor, Kemp faced criticism over Georgia's election system.
Georgia's centrally managed elections system lacks a verifiable paper trail that can be audited in case of problems. The state is one of just five nationwide that continues to rely exclusively on aged electronic voting machines that computer scientists have long criticized as untrustworthy because they are easily hacked and don't leave a paper trail.
In 2015, Kemp's office inadvertently released the Social Security numbers and other identifying information of millions of Georgia voters. His office blamed a clerical error.
His office made headlines again last year after security experts disclosed a gaping security hole that wasn't fixed until six months after it was first reported to election authorities. Personal data was again exposed for Georgia voters — 6.7 million at the time — as were passwords used by county officials to access files.
Kemp's office blamed that breach on Kennesaw State University, which managed the system on Kemp's behalf.