The Amazing Technicolor Incompetence Of The Coleman Campaign

First, Norm Coleman raised money for his 2008 Senate campaign. Then, Norm Coleman raised money for the hopeless but nevertheless unending legal battle over the result of the 2008 Senate campaign.

Now, it looks like Norm Coleman will need to raise money for another legal battle. But with the allegations that surfaced yesterday, past donors may be understandably chary about contributing again.

The short version is that, for a brief period in January, the Coleman campaign — displaying an extraordinary level of incompetence — first accidentally parked the full credit card information of donors (including the three-digit security codes that vendors are not even supposed to save in the first place after charging a card) in unencrypted form in a publicly accessible location on their website. Then, in direct contravention of state law, and in clear violation of any notion of ethical behavior, they chose not to inform donors of this security breach once they became aware of it. Their first communication to affected donors came yesterday, after donors who had been alerted by Wikileaks to the security breach started contacting the campaign with questions.

Here is the Wikileaks version of the story:

Wikileaks has released detailed lists of the controversial Republican Senator Norm Coleman’s supporters and donors. Some 51,000 individuals are represented.

Although politically interesting in their own right, the lists, which are part of an enormous 4.3Gb database leak from the Coleman campaign, provide proof to the rumors that sensitive information–including thousands of supporter’s credit card numbers–were put onto the Internet on January 28 as a result of sloppy handling.

Senator Coleman collected detailed information on every supporter and website visitor and retained unencrypted credit card information from donors, including their security codes. Although made aware of the leak in January, Senator Coleman kept the breach secret, failing to inform contributors, in violation of Minnesota Statute 325E.61.

The statute states that organizations that become aware of such a disclosure of sensitive unencrypted personal information must notify the individuals concerned “in the most expedient time possible and without unreasonable delay” and “immediately following discovery.”

The information circulated on the Internet for six weeks before a warning was sent by Wikileaks to those affected, pending its analysis of the material.

Yesterday Wikileaks sent two notifications to Coleman’s supporters as a courtesy prior to releasing a subset of the data.

Today Senator Coleman’s Campaign manager Cullen Sheehan tried to spin the issue, claiming somewhat fantastically that no data had been downloaded, that the culprits would be caught and that all donors should cancel their credit cards. No apology was made for the initial leak or its cover up.

In response Wikileaks has had to bring forward its public announcement. The open government group has released two files, a detailed list of 4,721 on-line donors with the last four digits of their credit cards as proof and a list of some 51,641 supporters. The full database comprises over 30 tables of information, including personal details, full credit card numbers, passwords and “back of card” security numbers.

Wikileaks will release other material from the extensive Coleman database once those affected have time to be informed.

The Coleman campaign’s spin seems patently false, on the face of it. The following facts seem incontrovertible:
1) The full credit card information of donors is actually in the possession of Wikileaks, so obviously this information was downloaded and leaked into the public domain, although the Coleman campaign insists none of this data had been compromised.
2) The Coleman campaign did not contact donors till yesterday to inform them of the breach.

There doesn’t seem to be any way that this can end well for the Coleman campaign. The ill-considered spin they are putting out at this stage is only going to make things worse.

Incidentally, TPMDC has Norm Coleman calling this hacking (not exactly the appropriate word to use if you leave unencrypted data sitting around in full public view), and accusing political opponents of being responsible:

Norm Coleman just delivered a statement outside the Minnesota courtroom, addressing the breach of security on his online donors’ data — and putting the blame squarely on political opponents, who are allegedly attempting to scare Coleman’s supporters out of donating.

However, The Minneapolis Star Tribune says:

His lawyer, Fritz Knaak, said that while crippling Coleman’s fundraising during the election trial was an obvious reason, the campaign had no evidence that political opponents were to blame.

***Update, 6:27 a.m. ***

For anyone who is interested, this January 28, 2009 post by Adria Richards on her ButYou’reAGirl blog seems to be what initially spilled the story onto the internet. This post was cited in the letter that Wikileaks received from their whistleblower, as proof that the “database was exposed by the incompetence of Coleman’s website personnel, making the information public for a period of time”.

Comments

kiel says:

March 12, 2009 at 8:29 am

Haw-haw-haw! Normie’s an incompentent slimeball. Future Sen. Franken will never be so careless (or cavalier) with his supporters’ information. Normie’s going to jail, not the Senate. He’s not good enough, he’s not smart enough, and gosh darn it, people just don’t like him.