To say it's been a rough few months for possibly ex-Senator Norm Coleman is an understatement. Come March he's still battling Al Franken for his Minnesota Senate seat. To add to that: nearly 5,000 campaign donors just found out Coleman's campaign published their credit card numbers-and every bit of other information about them-online in January.
Thousands Of Minn. Senator Campaign Donors Info Exposed
The breach was not the result of a hack. No special skills beyond Google and a mouse were needed to access the publicly posted database, which contained unencrypted credit card numbers and the four digit security numbers on the back of the cards. An additional 51,000 supporters had their names, addresses, email, and passwords exposed.
That was in January, like we said. Why are you just now hearing about it? The Coleman campaign didn't tell anyone. Likely anybody who swiped the information didn't say anything either. This is where Wikileaks comes in.
Wikileaks is a politically and nationally independent organization dedicated to protecting anonymous sources and whistleblowers. They're famous for posting documents and data governments and powerbrokers don't want people to know about. In short, they're the answer to the question "Who watches the watchdogs?"
Wikileaks was informed of the breach long before they actually posted evidence of the breach, giving Coleman's campaign time to produce some sort of remedy. In this case, the remedy would have been to admit to the breach and inform affected parties. When this didn't happen, Wikileaks posted the information on their site, obscuring the numbers to prevent any (subsequent) fraud and sent out an email to all Coleman donors informing them of the situation with a pretty spreadsheet that had their information on it.
Soon after, the Coleman campaign sent out a statement saying that something had happened in January that had caused them to fear that hackers had breached their firewalls. But after federal authorities reviewed the logs, they found no evidence the database had been accessed by unauthorized parties.
There's a slight problem with that explanation. Adria Richards posted a video on YouTube detailing which hacker skills she used to get behind the Coleman campaign firewalls: She used Google. The database was visible to anybody with access to Google.
Which of course is everybody. And when everybody has access, all parties are by default "authorized."
A breach is one thing, an embarrassing thing that requires disclosure to affected parties, the neglecting of which will get a person in enough trouble. But in this case, that lack of disclosure is compounded with some other legal problems. Minnesota law requires stored credit card information to be encrypted and back-of-the-card security numbers are not to be retained for any reason ever.
One positive thing: Coleman's legal team is probably already at the courthouse anyway fighting off a couple hundred Al Franken votes. They won't have far to go to fight off a few thousand angry (former) supporters.
About the Author:
SecurityProNews is a daily online and email publication focusing on internet security issues.
iEntry 10th Anniversary
RSS
Archive
