“we have discovered that all on-line Coleman contributors had their full credit card details released onto the Internet on 28 of [January], 2009, by Coleman’s staff.”
Another email from wikileaks.org, as relayed by the Minnesota Progressive Project:
Following our earlier email over the Coleman leak, we have discovered that all on-line Coleman contributors had their full credit card details released onto the Internet on 28 of Jan, 2009 by Coleman’s staff.Senator Coleman was made aware of this yet elected not to inform supporters in violation of Minnesota Statute 325E.61…
We provide proof of here (Windows Excel spreadsheet), which if you are a contributor will provide the last 4 digits of your Credit card and the security numbers on the back.
What’s Cullen Sheehan’s response?
Coleman’s campaign followed with an e-mail Wednesday morning that said the campaign became worried that its firewalls had been breached in January.
“We contacted federal authorities at that time, and they reviewed logs from the server in question as well as additional firewall logs,” campaign manager Cullen Sheehan said. “They indicated that, after reviewing those logs, they did not find evidence that our database was downloaded by any unauthorized party.
This is a bald-faced lie, for two reasons:
- Firewalls have nothing to do with it. Firewalls do not manage permissions on where this database was stored. In fact, it’s quite possible this database wasn’t even behind a firewall.
- If they did indeed review their server logs, those logs would indicate that people were at accessing the directory that contained this database. How do I know? There’s screenshots that prove it.
The Coleman for Senate campaign had this database in the wide open, in public, and available for anyone to download in January 2009 and likely for a long time beforehand. Simply telling their supporters to cancel their credit cards is not enough: they broke the law, and had to have known about it as early as January 2009. The fines on this are very high.
I’ve been chuckling about this since it first came to light. Inept thy name is Republican. Can’t run a simple website. Can’t run a government. Can’t even protect their own base from potential credit card disaster. Think security is the end all be all of government but fail to keep the three-digit back of card information away from a one source thieves paradise. These are the people that Really?, Dan and the other trolls present with arrogance as the “smartest people in the room.” Pull the other one…
So will all these out of state donors to Norm “RINO” Coleman’s ego quest be pissed or not? My guess is they’ll ask Rush what he thinks of it… or maybe just not mention it at all. Perhaps Michael Steele has a hip-hop remedy for stupidity? Nah, he would have already used it on himself.
Norm Coleman’s campaign is the only party at fault in this situation. They are the ones who actively put their entire database online for anyone to download simply by clicking a link; no hacking nor special knowledge required. This is documented on several websites back in January. So why has this taken so long to enter the public forum? Why has the Coleman campaign taken so long to give notice to their supporters that they not only released, but illegally stored their credit card information?
This release of information is not the only bad part, as it seems the parties involved with the Wikileaks disclosure actually protected the cardholder’s full credit card number. Coleman’s campaign actively violated Payment Card Industry Data Security Standards (PCI DSS) by storing the full card number and expiration date unencrypted, which isn’t permitted. Even worse, they stored the security code on the back of the card, and storage isn’t permitted in any case, for any reason, with or without encryption.
This is complicated by the political nature of the information. Donors who gave an amount small enough to avoid being reported in campaign financial reporting documents will now find that their full name, address, employer, occupation and credit card information has been published by the campaign they donated to!
This is a disgusting example of poor security, and blame needs to lie with the Coleman campaign and their web developers. Blame further lies with the Coleman campaign and their media operations for not notifying their donors that their information had been published. I say published, because the information wasn’t breached, stolen, or otherwise hacked. It was PUBLISHED and DISTRIBUTED via the Coleman website. No “federal authorities” are going to look at firewall logs when the Coleman campaign actively disclosed their own database, so who do you think should be the parties the “federal authorities” investigate? Hopefully they’ll investigate the Coleman campaign itself.
Certainly, if someone were to use the card numbers or actively distribute the card numbers, it would be a illegal and unethical. But at this point, Wikileaks and their source didn’t release full card numbers. Who knows what will happen next in that regard? If “federal authorities” found that nobody had accessed the database, which was again openly published on the Coleman website, how did Wikileaks get an Excel spreadsheet of every single web donation?
Coleman Campaign Manager Cullen Sheehan writes in a press release that there is a “…strong likelihood that these individuals have found a way to breach private and confidential information.” Well, generally there’s MORE than a “strong likelihood” when the campaign PUBLISHES the said private and confidential information on their website!
So, what’s next? The Coleman campaign needs to admit fault, and tell donors that there’s not a “likelihood” of a breach, but that it actually happened, and that they are at fault. They need to stop blaming “hackers,” and start blaming their web developers.
I further call for the Minnesota Attorney General’s office and state authorities to investigate this matter and charge the Coleman campaign for violations of Minnesota Statute §325E.61, specifically relating to their disclosure of personal information and neglect to notify donors, or more accurately, lie about the reasons behind the disclosure.
I assume the Coleman campaign will be using campaign donations to pay for the legal fees associated with the criminal investigation/prosecution and defense of civil lawsuits stemming from this breach of data security law?
And this is all in addition to the campaign money being spent defending the criminal investigation for the unreported gifts allegedly funneled through Laurie Coleman?
Team Coleman has an army of lawyers who are undoubtedly costing tens of thousands of dollars EVERY DAY right now. They’re looking at months or even years of state and federal appeals from the recount that could cost millions of dollars more.
Who is going to keep donating money to Team Coleman at this point?
Perhaps Norm can join Bernie Maddoff in prison.
Anyone with any sense knows they’re getting screwed in-the-you-know-where if they are donating money to the Coleman for Senate campaign.
More of the legendary republican “fiscal responsibility” in evidence. When will that meme die?
Really? DTM, Sean2, I hope you guys weren’t victims of this.
Say, as long as Team Smokescreen is asking questions, perhaps some vigilant journalist will ask ‘em:
Who’s name is/was on the utility bills for Coleman’s D.C. aprtment?”
After all, it’s only been 219 days since Team Smokescreen’s SpokesTool Mark Drake promised to check about getting copies of actual utility bills for said digs….
There’s a reason why ol’ Smokescreen made CREW’s list of most corrupt - and it’s the old fashioned reason: Coleman “earned” it.
Pete: If they were “vitims” they were complicit. Anybody who wasn’t aware what a team of incompetents Coleman’s guys were deserves to fall.
Putting aside the vitriol we aim at our right-wing participants (and they at us), anybody who donated didn’t know their credit card numbers would be made public. If you’ve ever been a victim of identity theft, you know what I mean.
I agree, Pete. Identity theft is nothing to snicker about, no matter who it may involve. I hope justice is served to those who failed to protect the data. And I hope that donors are not affected personally by the idiotic decisions made by Coleman’s IT/web site team.
Still, they knew about this issue back in January yet have been begging for donations all this time. Now that the election contest is winding down (with rebuttals, final arguments, and the expected appeal), the timing seems interesting, at best. You can bet whatever contributions towards Norm’s legal bills will come to an abrupt halt with this news.
“Will get fined”
Ignorant people think it is the noise which fighting cats make that is so aggravating, but it ain’t so; it is the sickening grammar that they use. ~Mark Twain
Why is the TV media still taking the “hackers did it” line of bullshit? This was incompetence of the highest order. Any company that would have been this lame would be up on charges. Norm gets to play victim instead.
Just grabbed the feed… thanks for posting this.