By Jake Rossen
By Jesse Marx
By Michelle LeBow
By Alleen Brown
By Maggie LaMaack
By CP Staff
By Jesse Marx
Norm Coleman is dealing with a public-relations disaster in the wake of last week's leak of personal data from 50,000 donors.
At least 4,715 of those donors also had their financial information leaked. They are being told to cancel their credit cards immediately. The others just had their contact information leaked.
Coleman might be crying out against hackers, but some are saying his campaign made this data easy to access on its site. And there's also the fact that it's illegal for businesses to store the information at all.
The Coleman campaign suspected this breach back in January, and claims to have made calls to federal authorities, who then determined no such leak occurred.
But then emails began to come in from Wikileaks.org, a shadowy organization dedicated to anonymously publishing leaked documents. The site claimed it had the credit card numbers of Coleman's online donors. For proof, the site posted one spreadsheet of donors' info.
But the problems for Coleman don't stop with a scary breach of security, or the apparent lack of notification in regard to data.
A simple look at the leaked spreadsheet shows that his campaign kept thousands and thousands of credit card security codes—those three-digit numbers the pizza delivery guy asks for before he approves your order.
But even the pizza guy knows he's not supposed to keep that code. That's due to a subdivision in Minnesota law H.F. 1758, which reads in part, "Security or identification information; retention prohibited."
So did the Coleman campaign violate the law?
"Certainly the attempt [of the law] is to prevent the storing of such data," says University of Minnesota consumer-protection law professor Stephen Meili. "But this one isn't crystal clear. There are two questions. One: Is a campaign donation a transaction? Two, and this is a trickier question: Is a campaign conducting business? There may be more definitive answers in the statute...or not."
Experts say that the law is on the books to keep exactly this sort of thing from happening.
"I am not an expert on this statute, but I can confirm that if a business retained security codes as the campaign apparently did, it would be violating both Minnesota law and the credit card companies' security rules," wrote William McGeveran, associate professor at the University of Minnesota Law School, in an email. "This retention rule is designed precisely to avoid security breaches from hackers. Retaining valuable information without a good reason is an invitation to identity theft."
Let's summarize the facts as they are known, with an eye toward separating the myths when it comes to technology:
• The Coleman campaign stored credit card information online in a way that would be illegal if it were a business.
• This information was accessed by an outside party due to an error on the part of the Coleman campaign's web team.
• Faced with this information, Team Coleman stayed mum for weeks, during which their contributors were vulnerable to identity theft.
• The story gets posted on Wikileaks, goes national, so the Coleman campaign acts outraged and sends an email warning donors to cancel their credit cards.
Put aside the issue of "was it or wasn't it hacked" (it wasn't). Why didn't Coleman warn his contributors to cancel their credit cards back when this story first broke? His lawyer says it's because the campaign was afraid it would choke badly needed donations.
So Norm Coleman put self-interest above the well-being of his contributors, many of whom are constituents. Doesn't that tell us all we need to know about whether we want him as our senator?
But if you still want to donate to his campaign, good luck: The donation link has been pulled down. In a Frequently Asked Questions section about the leak, the campaign says it still wants your money. You just have to do it snail-mail-style or by phone.
We wouldn't trust our financial information with this campaign no matter how much they ensured security. This wasn't some crazy, evil hacker who outsmarted the campaign. They just left this data out in the open for anyone to pick up because they can't run a website.
And if Coleman can't run a website, we probably shouldn't trust him to represent Minnesota.