Beyond the Norm: Coleman's data leak disaster

Cringely unravels the ugly mess around ex-Minnesota Senator Norm Coleman's data spill and asks, Should this man be handling sharp implements?

It's been a bad week for fans of Norm Coleman, the former Minnesota senator who lost a whisker-thin election to ex-"Saturday Night Live" comic/Air America radio host/Mad Magazine contributor Al Franken. (Technically, Coleman is still fighting a recount battle and may still be fighting it six years from now when the seat comes back up for re-election.)

Some 4,700 unlucky donors to the Coleman senate campaign have had their credit card numbers leaked on the Internet, and another 51,000 supporters got their names, addresses, e-mail, and passwords exposed. The data has been out in the wild for at least six weeks, and now that Wikileaks has gotten its fingerprint-free hands on them, everybody can have at it.

The key culprits? Why, the Coleman campaign itself. And therein lies a tale.

News of the wide-open database first hit the Net on Jan. 28, thanks to a Minneapolis-based consultant named Adria Richards, who posted a screen shot of the open Colemanforsenate.com directory on Flickr. She details the process of how she found the open database (in less than two minutes) on her But You're a Girl blog. (She says, however, that she did not download it.)

On that same day, the Coleman campaign claimed its Web site had been overwhelmed by traffic and taken offline. Coleman campaign manager Cullen Sheehan implied the crash was related to "the Franken campaign’s ongoing effort to quash votes."

According to tech wonks contacted by the Minnesota Independent, that doesn't seem to be what actually happened. Blogger Aaron Landry even accused the Coleman campaign of faking the site crash: "In short, they have configured their website to intentionally point at nothing," he wrote.

Later that evening, the Independent reported Richards' findings that an unsecured donor database was stored on the Coleman site. A few hours after that, the page containing that database was suddenly password protected.

But the Coleman campaign didn't bother notifying any of its supporters that their data had been exposed on the Net. (Which, as this Wikileaks page notes, may be a violation of Minnesota state law.)

Fast-forward six weeks. Wikileaks.org receives copies of the databases from an anonymous whistle-blower. The site sends an e-mail to everyone in those databases, warning them it's about to spill the beans. Two days later, the databases, with most of the credit card digits removed but everything else intact, go online.

The Coleman crew immediately begins shrieking about being hacked, political dirty tricks, and federal investigations into nefarious acts of espionage. (Though, as Richards notes, the only "hacking" tool she needed to find all this information was Google.) Their official response also included this gem: "We take the privacy and confidentiality of our donors and supporters extremely seriously."

But not quite seriously enough to a) keep their unprotected confidential data off the Net, or 2) tell anyone after they knew the data was exposed.

Why didn't they contact anyone back in January? According to Sheehan:

We contacted federal authorities at that time, and they reviewed logs from the server in question as well as additional firewall logs. They indicated that, after reviewing those logs, they did not find evidence that our database was downloaded by any unauthorized party.

Well, guess again, Sherlock. Richards was able to gain administrative access to the site, and she says the log files were missing. If anyone could become an administrator, how would they know who or wasn't authorized? Without a log file, how would they know how many times this data was downloaded?

Bottom line: It's now Christmas in March for identity thieves.

Canceling and replacing your credit cards is a hassle (I know, I just had to do this myself recently after I lost my wallet). Good luck canceling your street address, phone number, e-mail, passwords, and any other information contained in those databases.

But it gets much worse. If I were your average Internet scumbag, I'd comb that donor database for people who live in the nicer ZIP codes, target them with some kind of investment scam, isolate the ones with more money than brains, and bleed them dry. At the very least, these lists provide tons of material for spear phishing and social engineering.

At this point, the question isn't whether the Coleman team is equipped to handle matters of state; the question is whether they should be allowed to handle sharp instruments. Because they are clearly a danger to themselves and others.

(Lest you think I'm being partisan because Coleman is an Elephant, I invite you to submit geek gaffes of similar magnitude by Donkeys and independents. There's plenty of snark to go around for everyone.)

Meanwhile, Wikileaks continues to walk a fine line between serving the public good and abetting private disasters. If my information were on either of those databases, I'd be unhappy with both Coleman and the whistle-blowers. They could have easily made their point and still redacted enough information to make it hard for thieves to get anything useful out of it.

Instead, it's party time for Net scammers, and Hell on earth for 50,000-plus Minnesotans who were just trying to support the candidate of their choice.

Will this data breach affect how you contribute to political campaigns? Post your thoughts below or e-mail me: cringe (at) infoworld (dot) com.

Think you've got the right stuff to pass our tech quizzes? They're not as easy as they look:

The InfoWorld News Quiz

Test Your Geek IQ

Test Your Knowledge of Geek Celebrities

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies