Coleman Donor Database Story Debunked


By Noah Kunin, Senior Political Correspondent

 

On January 28th 2009, the index for colemanforsenate.com was open publicly for several hours.  Within the index was a database of individuals who had contributed to the Coleman for Senate campaign.  It went back to March 2008.  This database was accessed by many known individuals and an unknown number of unknown individuals. 

 

coleman database
(photo from Adria Richards)

 

Under Minnesota Statute 325E.61, in these circumstances the Coleman for Senate campaign was required to disclose to these donors that their data was leaked onto the internet.  It appears the Coleman campaign did not follow the statute because a “probe” conducted by the Secret Service and the Bureau of Criminal Apprehension , informed Coleman staff that no inappropriate access took place.  The above imagery proves this is false. 

 

UPDATED 1:49PM, 3/12/09: Moreover, the Payment Card Industry Council prohibts the actual storage of any of this information in an unencrypted state.  The database also incldued the 3-digit security code listed on the back of credit and debit cards.  This information is not to be stored in any permaement way after the transaction is completed, according to e-commerce standards.  Additionally, this is prohibited by Minnesota Statute 325E.64: (emphasis added)

 

“No person or entity conducting business in Minnesota that accepts an access device in connection with a transaction shall retain the card security code data, the PIN verification code number, or the full contents of any track of magnetic stripe data, subsequent to the authorization of the transaction or in the case of a PIN debit transaction, subsequent to 48 hours after authorization of the transaction.”

 

For more information on this aspect of the story, consult this Pioneer Press article by Dave Orrick.

 

The very contention that no one downloaded the database once the index was open is impossible.  As computer security expert Bruce Schneier told Minnesota Public Radio: (emphasis added)

 

“That response by the campaign makes no sense…(t)here’s no way that anyone can go through the network and say definitively that nobody accessed the data. That’s just ridiculous.  So either they misunderstood what the feds told them, or they’re just lying to the press.”

 

Indeed.  Schneier left out one possibility.  The Coleman campaign, in desiring to avoid public embarrassment in January, gave falsified server logs to federal authorities.

 

Regardless, yesterday Wikileaks.org re-released the database and emailed all the donors whose information had been released in January. Wikileaks staff felt the release was urgent and necessary since Coleman’s campaign had not notified the donors themselves. 

 

UPDATE 11:32AM, 3/12/09:  Minnesota Public Radio, via The Associated Press is printing the following statement from Jay Lim, spokesman for Wikileaks.org:(emphasis added)

 

 

Jay Lim, a spokesman for Wikileaks, wrote in an e-mail to The Associated Press that “Senator Coleman should not have kept this information in the first instance. “Secondly, his team should not have released the information out onto the open Internet for anyone to download,” Lim wrote. “Finally, he should have informed those concerned. He was given plenty of opportunity to do so. We shouldn’t have had to do it for him.”

 

 

It appears some financial institutions took it upon themselves to investigate the unauthorized release of data.  Andy Apilkowski, a longtime Republican, wrote on his blog Residual Forces that Wikileaks.org and the Coleman Campaign emailed him Tuesday that his credit card information had been included in the leak.  Apilkowski says that explains why his bank had notified him that his debit card had been involved in a security breach and they were sending him a new one – two weeks ago!

 

If the initial Coleman probe concluded that no one downloaded the donor database, why did a bank preemptively cancel a donor’s debit card?

 

UPDATE 11:14AM, 3/12/09: An astute UpTake reader brings up another possibilty regarding the case of Apilkowski.  Apilkowski’s bank may have been investigating the Heartland Payment Systems security breach incident.  News regarding the incident broke the same month as the Coleman database release. This security breach may be the “largest ever” according to the Washington Post.

 

UPDATE2 10:06AM, 3/12/09: Here, technology consultant Adria Richards explains how she discovered the Coleman database had been released:

 

Comments are closed.