Editor’s note: We updated this story on March 23 to clarify that information reviewed by The Wichita Beacon showed that the Social Security numbers of 176 election workers for Sedgwick County were exposed.

The personal information of at least 150 more Sedgwick County election workers has been exposed following a data breach, according to information reviewed by The Wichita Beacon. This is up from the 30 election workers originally reported. 

As the scope of the data breach widens, the Sedgwick County Election Office said it’s changing course and now plans to inform election workers of the breach in letters mailed this week.

“We are in the process of notifying election workers of the breach, and are still working to determine what details might have been compromised,” Sedgwick County Election Commissioner Angela Caudillo wrote in an email to The Wichita Beacon on Friday.  

EasyVote Solutions, LLC, a company that Sedgwick County contracts with to manage election workers, became aware Jan. 31 that some of its data may have been available online, according to Charles Davis, the company’s chief financial officer. Sedgwick County’s push to notify election workers comes at least five weeks after EasyVote informed the county of the breach on Feb. 4.

On March 10, a Beacon investigation revealed that the information of 30 county election workers was publicly exposed following a data breach impacting EasyVote. The personal data made public included Social Security numbers, addresses and dates of birth.

But new information reviewed by The Beacon following the initial reporting showed that personal data of at least 180 Sedgwick County election workers was exposed, including at least 176 Social Security numbers. This included at least two relatives of elected officials in the city or county.

The Sedgwick County election office did not initially plan to notify election workers of the breach. EasyVote initially told the county that the company was not aware of any sensitive data of county residents being exposed, according to Caudillo.

But after The Beacon first reported the breach earlier this month, EasyVote provided the Sedgwick County Election Office with “a copy of the data ostensibly subject to the breach,” Caudillo wrote in an email to The Beacon. Caudillo did not respond to a question to confirm how many Sedgwick County employees were impacted.

An election worker whose personal data was exposed criticized the county for not taking action more quickly.

“We should have been notified of the possible breach when it was first brought to their attention,” the worker wrote in an email to The Wichita Beacon. “We entrusted the county, not EasyVote, to keep our information secure and they failed.  The County should provide a remedy.”

The election worker requested anonymity to avoid publicizing that their personal information was compromised.

County ‘exploring all legal avenues’ with EasyVote contract

The Sedgwick County Commission approved a five-year, $137,750 contract with Georgia-based EasyVote Solutions in April 2020 to help the county manage election workers. The EasyVote software the county uses does not generate or record ballots and is not used to determine election results, Caudillo said. 

But going forward, the county is “exploring all legal avenues” regarding the EasyVote contract, Caudillo wrote in an email to The Beacon. 

“I can assure you that we are exploring all legal avenues available to us regarding our contract with this vendor, this incident, and obtaining relief for those potentially affected by this third-party data breach,” Caudillo wrote.

Whitney Tempel, director of communications and policy for the Kansas secretary of state’s office, which appointed Sedgwick County’s election commissioner, wrote that “the vendor will be held accountable.”

A notification to election workers in Beaufort County, S.C. — where at least two poll workers were impacted by the data breach — indicates that EasyVote is “working with a credit monitoring service to assist those affected by the breach.”

Davis with EasyVote did not respond to an email from The Beacon asking whether the company would provide this credit monitoring service for Sedgwick County residents impacted by the breach.

County Commissioner Jim Howell, whose son’s personal information was exposed, said that he is “very upset” about the data breach.

“I can tell you that it’s my intent personally that we stand by our employees and we make this right, whatever that means,” Howell said.

County Commissioner David Dennis referred questions about the breach to the secretary of state’s office. 

The three other county commissioners did not respond to questions The Beacon asked via email. 

More about the EasyVote data breach

After learning about the breach Jan. 31, EasyVote disabled access to the storage location that housed the data and put it into a more secure environment, according to Davis. EasyVote also involved a cybersecurity firm to help after the breach was discovered, he added.

Caudillo directed questions about how long the data was exposed online to EasyVote. Davis did not respond to a March 7 email from The Beacon asking about the amount of time documents were online.

As of March 19, the company is still reviewing the files that were exposed and what information was included, Davis said.

“Based on the results of that review, which we are working diligently to complete, we will notify involved individuals in accordance with applicable law,” Davis wrote in an email to The Beacon on March 19. “We continue to remain in communication directly with Sedgwick County regarding our review of the files of theirs that may be involved.”

State law enforcement is investigating the data breach in South Carolina, where the personal information of at least two poll workers was exposed. But the Kansas Bureau of Investigation is not investigating a data breach related to EasyVote Solutions, according to KBI communications director Melissa Underwood.

According to The Island Packet in Hilton Head, S.C., the Federal Bureau of Investigation is investigating the South Carolina data breach.

Dixon Land, an FBI spokesperson in Kansas City, said he could not confirm or deny the bureau was investigating the data breach.