Coleman responds to leak of supporter data


Yesterday, we reported on the leak of supporter personal data off of Norm Coleman's campaign site. The data of 50,000 people was reportedly left unsecured on their Web site and the database included financial information for more than 4,700 supporters.

While IT professionals and the media have largely reported the campaign mistake, Coleman and his team have continued to accuse their opponents of hacking into their Web site to expose their supporters and put their financial information at risk. The Secret Service is currently investigating the incident.

Here is what Coleman had to say, according to the Star Tribune:
Coleman, who said campaign officials found out about the hacking late Tuesday after getting calls from donors, called the online theft "obviously an attack on my campaign" but named no suspects. His lawyer, Fritz Knaak, said that while crippling Coleman's fundraising during the election trial was an obvious reason, the campaign had no evidence that political opponents were to blame.

"This is chilling. This is frightening," Coleman said after Wednesday's trial session. "We live in a world where privacy is hard enough to maintain as it is, and what little is left we find is compromised. ... I am hopeful, not confident, that law enforcement authorities who are involved will get to the bottom."

Watch the full response here:

Coleman's campaign says they have been contacting people on the list to warn them their data has been leaked, but when Minnesota Independent contacted many of the people on the list, most hadn't heard the news.

The Pioneer Press story took a bigger hit at Coleman's campaign, leading their story with a strong statement without attribution: "Former Sen. Norm Coleman's campaign didn't do enough to protect donors' confidential information, and Wednesday that lapse came home to roost as more than 4,700 partial credit card numbers were posted on the Internet."

They went on to quote many credit card and IT professionals who blasted Coleman's campaign for their handling of private data:

Kelly McShane, whose job is to secure information in the banking industry, said he learned that the last four digits of his American Express card -- and the four-digit security code used to verify the card -- were posted online when a reporter e-mailed him.

"I'm in IT security for a bank, and I can tell you that this is so ... irresponsible that I can't believe it," said McShane, who had donated $100 to the campaign online.

Credit card industry standards -- via the Payment Card Industry Council, which includes representatives of major credit cards -- dictate that credit card information should never be on the same server as a Web site, said Eric Schultze, chief technology officer for Shavlik Technologies, a Roseville-based computer-security company. Moreover, he said, credit card numbers should be encrypted, or coded.

"Otherwise, you'd just see gobbledygook," Schultze said. "It's a big oops on the part of the Web site administrator, and I'd be surprised if that person still had a job. ... It's a rookie mistake. Anybody worth their salt would not set up a Web site that way."

Coleman's lawyer finally did admit some guilt on the part of the campaign when pressed by the PiPress. He said, "Of course, the campaign feels some sense of responsibility, (but) we do not believe there's any liability on the part of the campaign."