Looks like Norm has another headache to deal with. Besides being on the threshold of the Exit door of the Senate, it appears that someone has accessed private info about, among other things, his contributors.
This story is starting to gain traction in the Minneapolis news and blogosphere and I'm hoping to help get this out to a broader audience.
The first link I saw is HERE.
Coleman campaign: 50,000 supporters had personal data leaked
By Emily Kaiser in Franken vs. Coleman
Wednesday, Mar. 11 2009 @ 4:02PM
Norm Coleman is dealing with a public relations disaster today as they try to control information about a potential leak of personal data from 50,000 donors, says the Associated Press.
At least 4,715 of those donors also had their financial information leaked. Those donors are being told to cancel their credit card immediately. The others just had their contact information leaked.
Coleman's campaign might be crying out against hackers, but some are saying they made this data easy to access on their site.
Check out our story from earlier today for the background. More from the AP:
"If you are trying to intimidate people who may have given money to the Coleman campaign by threatening their privacy or doing something like that, what that might have is a chilling effect on fundraising efforts by the Coleman campaign," said Fritz Knaak, a Coleman attorney.
Sheehan and Knaak said the campaign became aware of a possible security breach in January, but a probe then found that no unauthorized party had accessed the confidential information. Two Minnesota political Web sites wrote at the time about loosely guarded donor data on Coleman's Web page.
Minnesota law requires prompt disclosure of any breach involving personal information, such as credit card numbers and security codes. The custodian of the information can be fined for failing to make timely notifications, although there is an exemption when the disclosure can interfere with law enforcement needs.
Knaak said he's confident the campaign complied with the notification law. The campaign is advising donors to contact their credit card company and cancel the card at issue, but hasn't heard of misuse of any financial accounts yet.
While Coleman's team is trying to say this was some evil hacker out to destroy their supporters, others are calling them out for making the information easy to access.
Minnesota Independent spoke to the IT professional Adria Richards who was able to access the information on their site without any "hacking" involved.
"It's not hacking," she said. "I didn't use any hacking tools. A browser was my tool."
Richards said she discovered the database by entering normcoleman.com, into OpenDNS' cache-check tool, which gave her an IP address where the Web site lived. Simply copying that address into a Firefox browser revealed the Web site directories for normcoleman.com.
"All you needed was a Web browser," she said. "It's like I walked over to Norm Coleman's house and saw his door was open, took a photo of the open door and posted it on the Internet."
She published a screen capture and then wrote about it on her blog.
The Hill's original info can be seen HERE.
Coleman supporters' private info likely breached
By Aaron Blake
Posted: 03/11/09 09:45 AM [ET]
Norm Coleman’s Senate campaign said Wednesday that the private information of its supporters has probably been breached and is encouraging them to cancel their credit cards.
Coleman backers began receiving e-mails Tuesday night from an e-mail address at wikileaks.org stating that it possessed personal information about them and was preparing to post it online.
The same address stated in an e-mail early Wednesday morning that "we have discovered that all on-line Coleman contributors had their full credit card details released onto the Internet on 28 of [January], 2009, by Coleman's staff."
Coleman’s campaign followed with an e-mail Wednesday morning that said the campaign became worried that its firewalls had been breached in January.
"We contacted federal authorities at that time, and they reviewed logs from the server in question as well as additional firewall logs," campaign manager Cullen Sheehan said. "They indicated that, after reviewing those logs, they did not find evidence that our database was downloaded by any unauthorized party.
"Let me be very clear: At this point, we don't know if last evening's e-mail is a political dirty trick or what the objective is of the person who sent the e-mail.
"What we do know, however, is that there is a strong likelihood that these individuals have found a way to breach private and confidential information."
Coleman’s campaign is encouraging supporters who think they might have contributed to the campaign to cancel their credit cards.
Coleman is involved in a lengthy challenge to Democrat Al Franken’s apparent 200-plus vote win in Minnesota’s Senate race.
I particularly like the portion of The Hill's quote that says:
"Let me be very clear: At this point, we don't know if last evening's e-mail is a political dirty trick or what the objective is of the person who sent the e-mail."
As if the only possibility is that some nefarious group is out to screw him politically. No possibility that there was some level on incompetence on the part of his staff
- Tim
***********************************************************************
Updated: Puppethead noted THIS ARTICLE that asks whether this was a "data breach" at all. It seems more likely that it was just the result of flat out stupidity on the part of Coleman's staff.
I looked at the spreadsheet which, as noted in the City Pages article, is available on wikileaks.org and it appears that his staff kept the 3 and 4 digit CVV security codes for those cards which I am almost certain is illegal.
Update 2: There is some fantastic info HERE by Adria Richards that confirms that the Coleman campaign's site was "hacked" and that the actual reason was a complete lack of any sort of security.
In addition, it seems that the recording of the CVV numbers on the spreadsheet available HERE is in violation of Minnesota Law as noted HERE.
Update 3: Mainstream press is now picking this up - this story might have some legs. Here is the AP:
GOP candidate for Minn. Senate seat warns of leak
By BRIAN BAKST
Associated Press Writer
AP Photo/Harry Hamburg
ST. PAUL, Minn. (AP) -- As Minnesota's drawn-out Senate saga took another step toward conclusion in a courtroom Wednesday, thousands of donors to Republican Norm Coleman's legal fund learned that their identities and some of their credit card information had been posted on the Web.
In an e-mail to supporters Wednesday, the Coleman campaign said personal and credit card information of thousands of donors had been posted online. The campaign said it asked federal authorities to investigate, and it urged affected donors to cancel the cards.
The disclosure came at a bad time for Coleman, who is in the seventh week of a lawsuit challenging the recount that put his Democratic opponent, Al Franken, on top by 225 votes. A special court is nearing the end of that trial, but expensive appeals could follow.
"I think it will have a very debilitating effect" on fundraising, Coleman said outside the Minnesota courtroom. "I find it to be frightening, I find it to be scary and I'm obviously disappointed. But I am hopeful - not confident - that law enforcement authorities who are involved will get to the bottom of this."
A group called Wikileaks e-mailed some Coleman supporters Tuesday night to suggest that their credit card information was floating around the Internet. Wikileaks casts itself as an outlet for "untraceable mass document leaking and analysis," with a focus on exposing oppressive regimes worldwide and unethical behavior in corporations and government.
"Your name, address and other details appear on a membership list leaked to us from the Norm Coleman Senate campaign," the e-mail said.
A follow-up e-mail linked to a spreadsheet showing information for 4,715 donors, including names, addresses, phone numbers, donation amounts, partial card numbers and security codes.
The group also posted on its Web site a spreadsheet with details for 51,641 Coleman contacts, including volunteers, reporters and rallygoers. The group said it would release other information "once those affected have time to be informed."
A Washington-based phone number for the group got only a busy signal Wednesday.
Coleman attorney Fritz Knaak and campaign manager Cullen Sheehan said the campaign became aware of a possible security breach in January, but an investigation, which Knaak said involved the U.S. Secret Service, found that no unauthorized party had accessed the confidential information.
Two Minnesota political Web sites wrote at the time about loosely guarded donor data on Coleman's Web page, but it's unclear where or when the data was publicly accessible.
One of the Wikileaks e-mails cited a blog post by Adria Richards, a Minneapolis-based technology consultant who said she read in January about the supposed breach of Coleman's site and went there herself out of curiosity.
Richards told The Associated Press on Wednesday that she quickly found private information, including a link to a database, that was accessible to anyone with a decent understanding of Web servers. She took several screen captures of the pages and posted them to her blog.
"I'm not a hacker. My goal is not to dig into other peoples' insecurities, but just to identify them," said Richards, who added that she didn't download or even open the database.
Richards said she had nothing against Coleman. "I would have done this if it was a Republican or a Democrat," she said.
Knaak said Coleman's campaign officials met to discuss the Web site after its security was questioned in January.
"We wanted to be very sure there wasn't going to be any likelihood of success," Knaak said. "Apparently we weren't successful."
Wikileaks accused the Coleman campaign of keeping the January breach secret, and cited a Minnesota law that requires prompt disclosure of any breach involving personal information. Knaak said he's confident the campaign complied with the law.
Knaak said it's unclear whether Wikileaks had a hand in shaking the information loose or was merely a conduit for disseminating it. He said the campaign doesn't believe it came from an insider.
Whatever the case, Knaak warned that the data release wouldn't be taken lightly.
"If somebody did this as a lark to see what would happen, they just bought themselves a ton of trouble," he said.
© 2009 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed. Learn more about our Privacy Policy.