More on the Coleman campaign breach (updated)
The Associated Press is now reporting that financial data for at least 4,700 campaign donors was posted on the internet and contact information for 51,000 others was also disseminated. A statement from Coleman’s office indicates that there may have been a breach of the Coleman for Senate web site and that federal investigators, when contacted in January about a possible breach, had not found any evidence that there had been any breach (but see the Minnesota Independent story, below).
Wikileaks.org published the list of 4,721 donors as well as a list of 51,641 supporters and web site users with some details unredacted. Both files contain full names, addresses, and in the case of supporters, their home phone numbers. Credit card numbers were truncated, although Wikileaks.org indicates it had obtained full credit card numbers.
In a press release on the documents, Wikileaks.org says:
Although politically interesting in their own right, the lists, which are part of an enourmous (sic) 4.3Gb database leak from the Coleman campaign, provide proof to the rumors that sensitive information–including thousands of supporter’s credit card numbers–where (sic) put onto the Internet on January 28 as a result of sloppy handling by the campaign.
Senator Coleman collected detailed information on every supporter and website visitor and retained unencrypted credit card information from donors, including their security codes. Although made aware of the leak in January, Senator Coleman kept the breach secret, failing to inform contributors, in violation of Minnesota Statute 325E.61.
In January, Paul Schmelzer of the Minnesota Independent had reported the web site crash. A commenter, “EPIC” had posted a link to the entire database on January 28th: http://220.127.116.11/colemanforsenate.com/db/database.tar.gz (that link did not work when tested today). Today, he explains that the site was not hacked, and that IT professional IT Adria Richards uncovered the database in January by using her browser:
Richards said she discovered the database by entering normcoleman.com, into OpenDNS’ cache-check tool, which gave her an IP address where the Web site lived.
Simply copying that address into a Firefox browser revealed the Web site directories for normcoleman.com.
Richards didn’t download the database herself, but she posted a screen capture of what she’d found online after she made the discovery. An IT consultant for 10 years, she published her findings on her blog to educate others about the risks of improperly managed websites, she said.
“All you needed was a Web browser,” she said. “It’s like I walked over to Norm Coleman’s house and saw his door was open, took a photo of the open door and posted it on the Internet.”