Update: EasyVote Solutions, LLC, the company at the center of a data breach that impacted Sedgwick County election workers, has wrapped up its investigation of the incident and is notifying people who were impacted, Election Commissioner Angela Caudillo said.

The company will provide credit monitoring and identity theft protection for one year to those who had their full Social Security number or driver’s license number exposed, Caudillo told the Sedgwick County Commission on April 6. She added that she’s advocating for EasyVote to also provide credit monitoring and identity theft protection for election workers who had a partial Social Security number exposed.

EasyVote’s investigation “determined that an unauthorized individual accessed certain files in their online storage system,” Caudillo said. “They were not able to determine definitively whether other files were accessed, so they reviewed all files in that location to determine who might be at risk.”

Documents for some Sedgwick County election workers were included in that storage location.

On March 31, we published a follow-up story the detailed how some Sedgwick County election workers were getting mixed messages about the impact of the data breach.

A data breach by a county contractor may have exposed documents with personal information of at least 829 county election workers, Sedgwick County Election Commissioner Angela Caudillo said Wednesday. 

This includes 168 election workers’ Social Security numbers or driver’s license numbers and the partial Social Security numbers of 82 others, Caudillo said in her report to the Sedgwick County Commission. An additional 579 people had other publicly available information exposed, such as name, address and date of birth.

The sensitive documents were Sedgwick County election worker applications and human resources onboarding paperwork.

The Sedgwick County Election Office mailed letters Tuesday and Wednesday to 5,000 active and inactive election workers. The letters notified them of the breach and what personal information could have been exposed. 

Caudillo also told commissioners that the contractor that experienced the breach, EasyVote Solutions, LLC, is expected to provide credit monitoring or identity theft service to those impacted. 

“In the event that they do not, commissioners, I can assure you that you will see me before you again asking for a way to provide relief to those who are affected,” Caudillo said.

It’s not clear whether the county’s contract with EasyVote includes provisions for credit monitoring or other services.

“I am reviewing the contract, and it’s hard to tell,” Caudillo said. “I don’t think that is specifically lined out in the contract.” 

Charles Davis, the company’s chief financial officer, did not respond to an email from The Wichita Beacon asking whether the company would provide credit monitoring services for Sedgwick County residents. The company became aware on Jan. 31 that some of its data may have been available online and notified Sedgwick County Feb. 4, weeks before the county took any action to inform election workers. 

The company informed Sedgwick County as late as March 4 that it was not aware of any sensitive data from the county that was affected by the leak, Caudillo told the commission.

Caudillo’s presentation on Wednesday is the first time the county has publicly addressed the data breach and its impact on Sedgwick County election workers. The Beacon first reported the data breach on March 10. A second story detailed the expanding scope of the breach. 

How many election workers were impacted?

On March 11, Sedgwick County received a copy of nearly 1,200 documents uploaded to EasyVote’s system. According to an email to Caudillo from Ron Davis, EasyVote’s CEO, these documents were not necessarily accessed by anyone who wasn’t supposed to read or see them.

“I verified with the vendor that these approximately 1,200 documents were all of the documents we had uploaded into the system,” Caudillo said during the county commission meeting. 

From a review of these files, the Sedgwick County Election Office found that 168 contained a full Social Security number or driver’s license number, while 82 contained a partial Social Security number.

But files independently reviewed by The Beacon indicate that exposed files of at least 181 individual election workers contained a full Social Security number or driver’s license number.

When asked about the difference, Caudillo said the county’s estimate of data was preliminary.

“The number I provided was based on our initial review of the data we received and we are anxiously awaiting a full report from the vendor,” Caudillo wrote in an email to The Beacon.

As of March 19, EasyVote was still reviewing the files that were exposed and what information was included, Davis wrote in an email to The Beacon. Additionally, a cybersecurity firm the company hired is conducting a forensic investigation that should be completed in several days, Caudillo told the commission.

County officials are hoping that the company’s investigation will report which files were accessed by anyone who wasn’t supposed to read or see them.

Future of EasyVote contract

The county commission approved a five-year, $137,750 contract with Georgia-based EasyVote Solutions in April 2020 to help the county manage election workers. The EasyVote software the county uses does not generate or record ballots and is not used to determine election results, Caudillo said. 

The contract requires an annual renewal, which the commission will consider in April, Caudillo said. 

“When that comes back around, I’ll have a lot of questions about how we do this next time,” said County Commissioner Jim Howell, whose son’s own data was exposed in the breach. 

“Policywise, when someone provides their sensitive data to us, we need to protect it,” Howell said. “Unless they have a need to have that information, we should never give someone’s Social Security number to EasyVote Solutions. I don’t think they have a need for it.”