Subscribe to our RSS feed
Follow us on Twitter
In late January, allegations were leveled that former Sen. Norm Coleman’s campaign faked the crash of its website, claiming droves of disenfranchised voters brought down the server seeking info on whether their votes were counted. While that charge hasn’t been definitively proven, the scrutiny by web enthusiasts exposed a bigger problem for the campaign: an unprotected database that contained information on campaign donors, including names, email and home addresses, credit card numbers and the three-digit security codes. On Tuesday, donors received an email from the website Wikileaks alerting them that the site has revealed some of the database information.
“We understand that Norm Coleman became aware of the leak in January,” the note reads, in part.
A link to the original database was posted in comments at the Minnesota Independent and MNPublius on January 28. I contacted the campaign then about the site crash, but never got a response.
The Wikileaks email also included a link to the Minnesota statute that requires entities using “data that includes personal information” to “disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of this state whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.”
This disclosure, the statute states, “must be made in the most expedient time possible and without unreasonable delay …”
“The information has been passed around out of public view,” the email continues. “We have sent you this note as a curtesy [sic] in case Norm Coleman has not contacted you previously.”
It continues:
In line with our policy of completely neturality for whistleblowers and political sources, the material will be treated impartially. We support all those who engage in the struggle for political reform and wish you well.
A second email includes a link to an Xcel spreadsheet that shows donor names, addresses, employers, the last four digits of each credit card and the CSC security code (the spreadsheet protects the full credit card numbers, but the original database, exposed in January, didn’t). A second spreadsheet, which appears to be part of the campaign’s get-out-the-vote efforts, includes less revealing information about supporters.
Update: The Hill indicates that it’s been in contact with the Coleman campaign which aknowledged “that the private information of its supporters has probably been breached and is encouraging them to cancel their credit cards.”
Campaign spokesman Cullen Sheehan wrote in an email to supporters that that there was no “evidence that our database was downloaded by any unauthorized party,” but he doesn’t dispute the possibility that security has been breached. Several IT professionals interviewed by the Minnesota Independent in late January revealed they had downloaded the database, which was not password protected. This fact seems to contradict Sheehan’s report about findings by federal authorities looking into the case. They “did not find evidence that our database was downloaded by any unauthorized party.”
“At this point, we don’t know if last evening’s e-mail is a political dirty trick or what the objective is of the person who sent the e-mail,” he added.
More as this story develops.
Leave a comment
Become a fan on Facebook
11 Comments »
Comment posted March 11, 2009 @ 10:13 am
…but if there’s no evidence that the database was downloaded by any unauthorized party, that would mean that they think that Wikileaks was authorized. And, therefore, if it’s a dirty political trick, it’s THEIR dirty political trick…
Pingback posted March 11, 2009 @ 10:38 am
[...] The Minnesota Independent adds that Wikileaks pointed out that if the campaign knew of the leak and failed to alert donors immediately, there has been a violation of state law. Minnesota statute 325E.61 states: (a) Any person or business that conducts business in this state, and that owns or licenses data that includes personal information, shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of this state whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in paragraph (c), or with any measures necessary to determine the scope of the breach, identify the individuals affected, and restore the reasonable integrity of the data system. [...]
Comment posted March 11, 2009 @ 10:51 am
I find it curious that not only did Coleman campaign fail to secure the data as well an any mom & pop internet storefront would, but also that they were storing the credit card security codes. There are specific credit card industry regulations, called PCI, that call this out as a big no-no. It’s the sort of thing that can allow you bank to cancel your credit card payee clearing privileges. You can also get sued for doing this. Well, you or I could get sues. A Senator like Coleman is probably above the law and common industry regulations like the rest of us.
Comment posted March 11, 2009 @ 11:30 am
That would be “Excel spreadsheet.” The data has nothing to do with our local energy company.
Comment posted March 11, 2009 @ 11:39 am
Norm Coleman’s campaign is the only party at fault in this situation. They are the ones who actively put their entire database online for anyone to download simply by clicking a link; no hacking nor special knowledge required. This is documented on several websites back in January. So why has this taken so long to enter the public forum? Why has the Coleman campaign taken so long to give notice to their supporters that they not only released, but illegally stored their credit card information?
This release of information is not the only bad part, as it seems the parties involved with the Wikileaks disclosure actually protected the cardholder’s full credit card number. Coleman’s campaign actively violated Payment Card Industry Data Security Standards (PCI DSS) by storing the full card number and expiration date unencrypted, which isn’t permitted. Even worse, they stored the security code on the back of the card, and storage isn’t permitted in any case, for any reason, with or without encryption.
This is complicated by the political nature of the information. Donors who gave an amount small enough to avoid being reported in campaign financial reporting documents will now find that their full name, address, employer, occupation and credit card information has been published by the campaign they donated to!
This is a disgusting example of poor security, and blame needs to lie with the Coleman campaign and their web developers. Blame further lies with the Coleman campaign and their media operations for not notifying their donors that their information had been published. I say published, because the information wasn’t breached, stolen, or otherwise hacked. It was PUBLISHED and DISTRIBUTED via the Coleman website. No “federal authorities” are going to look at firewall logs when the Coleman campaign actively disclosed their own database, so who do you think should be the parties the “federal authorities” investigate? Hopefully they’ll investigate the Coleman campaign itself.
Certainly, if someone were to use the card numbers or actively distribute the card numbers, it would be a illegal and unethical. But at this point, Wikileaks and their source didn’t release full card numbers. Who knows what will happen next in that regard? If “federal authorities” found that nobody had accessed the database, which was again openly published on the Coleman website, how did Wikileaks get an Excel spreadsheet of every single web donation?
Coleman Campaign Manager Cullen Sheehan writes in a press release that there is a “…strong likelihood that these individuals have found a way to
breach private and confidential information.” Well, generally there’s MORE than a “strong likelihood” when the campaign PUBLISHES the said private and confidential information on their website!
So, what’s next? The Coleman campaign needs to admit fault, and tell donors that there’s not a “likelihood” of a breach, but that it actually happened, and that they are at fault. They need to stop blaming “hackers,” and start blaming their web developers.
I further call for the Minnesota Attorney General’s office and state authorities to investigate this matter and charge the Coleman campaign for violations of Minnesota Statute §325E.61, specifically relating to their disclosure of personal information and neglect to notify donors, or more accurately, lie about the reasons behind the disclosure.
Pingback posted March 11, 2009 @ 2:50 pm
[...] never got replies, leading Wikileaks to eventually call the donors directly. Good reporting on it here, with a twist. Wikileaks claims that the Coleman campaign was aware of the breach, and has been [...]
Pingback posted March 12, 2009 @ 12:49 am
[...] by Phoenix Woman on March 12, 2009 – The MnIndy reports that Norm Coleman’s donor list was found on an unsecured portion of his web… The discovery was made as a result of people trying to determine if Coleman had crashed his own [...]
Pingback posted March 12, 2009 @ 11:57 am
[...] the Minnesota Independent: …scrutiny by web enthusiasts exposed a bigger problem for the campaign: an unprotected database [...]
Comment posted March 12, 2009 @ 12:48 pm
But don’t forget, Republicans like Sen. Coleman are the ones who kept you safe from Islamofascist terrists (9/12 and after, that is; everything before that was Klintoon’s fault) and socialest Demoncrats and lieberals who want to redistribute your hard-earned wealth to furriners and to lazy losers who don’t want to work and who buy houses they can’t afford.
Teabag party!
– A True ‘Murkin
Comment posted March 12, 2009 @ 3:53 pm
Widtap – that’s EX-Senator.
Pingback posted March 23, 2009 @ 8:51 am
[...] stored and your purchasing history tracked (and perhaps sold). Or a political campaign worker can compromise your credit card information on its web site (committing numerous violations of CISP in the [...]
RSS feed for comments on this post. TrackBack URL
Leave a comment