Minn. AG should investigate Coleman, local web developer says
When Wikileaks reported on the availability of Norm Coleman's supporter list and financial information, his campaign called on the investigation and prosecution of the supposed hacker. Well it seems a majority people outside of the campaign see this as a possible crime committed by Coleman's team as they made their supporter's data easily accessible on their site. In addition to that, their database revealed that they were storing credit card numbers, expiration dates and security codes without encryption.
At least one local Web developer has formally contacted the Minnesota Attorney General's office asking them to investigate Coleman's campaign for possible consumer protection violations. Will they take up this case?
Tony Webster has submitted a letter to AG Lori Swanson reviewing that issue and calling out the campaign for violations. CP has reported on similar concerns.
Here is an excerpt:
As a website that accepts payments via credit card, the Coleman campaign is bound by the Payment Card Industry Security Standards (PCI DSS), a unified set of rules agreed to by all major credit card companies, banks and card processing services. According to PCI DSS, Requirement 3, the storage of credit card numbers is permitted as long as it is "...required for business, legal and/or regulatory purposes." In any case, the card number must be protected by encryption. If the expiration date is stored, it must also be encrypted. In no case should the three or four-digit security code on the back of a credit card ever be stored, regardless of the reason and regardless of the protection or encryption used.View the full PDF letter here.
At this point, it's clear that the Coleman campaign took several negligent steps in the matter: (a) the improper storage and collection of full credit card numbers, expiration dates and card security codes, (b) the database contents being exported from the database to a database file, (c) the misconfiguration of the Coleman campaign website, and (d) the further publication of the database file to the internet.
( via )
We've contacted Swanson's office and left a message, but haven't received a response about additional letters submitted or a potential investigation from their office. If you have also submitted a letter to authorities on this matter, please contact Blotter.
Get the This Week's Top Stories Newsletter
Every week we collect the latest news, music and arts stories — along with film and food reviews and the best things to do this week — so that you’ll never miss City Pages' biggest stories.