Hackers publish private information of Norm Coleman donors
This is despicable:
At the end of January, a hacker broke into Senator Norm Coleman’s web site and gained access to information there about donors to the Coleman campaign. Coleman’s staff had a forensic analysis performed and were assured that the donor information had not been downloaded.
It appears, however, that this conclusion was mistaken, as last night, a left-wing group called Wikileaks.org sent emails to Coleman’s donors that attached an Excel spread sheet with the hacked donor information:
Wikileaks has released detailed lists of the controversial Republican Norm Coleman’s supporters and donors. Some 51,000 individuals are represented. Although politically interesting in their own right, the lists, which are part of an enormous 4.3 Gb database leak from the Coleman campaign, provide proof to the rumors that sensitive information–including thousands of supporter’s [sic] credit card numbers–where [sic] put onto the internet on January 28 as a result of sloppy handling by the campaign.
I would say that they were “put onto the internet” as a result of illegal hacking by a Democrat.
“Wikileaks” explained in an earlier email that it was making public the information on Coleman’s donors, including their credit card numbers, because of the “Coleman campaign’s effort to impugn the election processes in the State of Minnesota.” As a result of Wikileak’s mass email of a spread sheet containing credit card information for thousands of Coleman donors, the Coleman campaign sent an email to its supporters today suggesting that they cancel their credit cards.
Not only did they publish this highly sensitive information just to aggravate conservatives, Power Line’s John Hinderaker adds that he was contacted by his bank a week or two after Coleman’s database was hacked. His bank told him ‘my credit card numbers had been stolen and patently improper charges were being rung up. As a result I had to cancel that credit card and get a new one. I didn’t know it at the time, but it appears that in all probability, I was one of the victims of the Democrats’ hacking of Coleman’s web site.’
It once again shows that the most unreliable and despicable people in the American political debate can’t be found on the right, but on the left. This should have caused major outrage. Not just from moderates and conservatives but also from liberals. If a conservative hacker would’ve done this, conservative bloggers would have jumped on it, condemning this despicable act.
Liberal bloggers, however, remain quiet. As they usually do when one of their own breaks the law.
You really do know a lot about the intent and identity of this “hacker”, shouldn’t you be contacting the FBI with this information?
This leak was first reported late January, and the information have been out there for a while. And I write “hacker” since it’s clear from the first report of this that the Coleman campaign has been neglective when setting up their site.
Not only did they allow people to see the root folders on the site, they have also stored this information so that it could be downloaded mere by using a browser.
Furthermore, while this has nothing to do with their stupidity in handling this sensitive information, the Coleman campaign neglected to contact their donors when they found this out and they also stored the creditcard numbers unencrypted and even worse they also stored the CVV2 that you’re not allowed to store at all.
The campaign should have contacted their donors at once when this was first reported. My guess is that they didn’t cause that would have made a lot of donors furious when the campaign really needed money for the recount.
Considering that the file was stored incorrectly, not hidden, no need to use anything else than a browser, do you have any idea what law was broken?
“It once again shows that the most unreliable and despicable people in the American political debate can’t be found on the right, but on the left.”
Indeed. We’re all very grateful that the political right has consistently modeled nothing but grace and virtue, in both actions and discourse.
Sigh…
Polimom:
Even though I disagree with Michael’s statement (after criticizing anti-Obama “birthers” as well as Paul-bot conspiracy theorists and enduring the reams of vulgar and abusive spam that resulted in both cases, I am well aware that extremist wackos are well represented on both extremes), I also would point out that you are misrepresenting it in your comment. I don’t think it is productive to respond to a statement you disagree with by caricaturing it.
Also, it is fascinating to observe how EVERY SINGLE TIME liberals get criticized (fairly or unfairly), the immediate response is ALWAYS to change the subject and focus instead on either “Republicans are worse” or criticizing the way in which the critic is being supposedly intolerable in the way they criticize.
Why not simply concede that it is wrong to use identity theft as a technique of political harassment?
Jason, I’m sorry you found my comment to be inappropriate. But responding to a caricature with a caricature is an innate reflex. I’ll try harder to control those instincts next time.
Oops. Sorry for the brevity just above. I initially responded to your original comment, Jason, before you edited it comprehensively.
I can’t speak for how others react to these things, but I’m also offended when conservatives are lumped and stomped in absolutist terms — and often say so. And I utterly fail to see how I misrepresented his statement.
Yes, it IS wrong to use identity theft as a technique. It’s appalling! And if Michael’s post had merely discussed that, rather than continued into a sweeping generalization / rant, I’m absolutely positive I’d have responded differently.
Since he didn’t, neither did I.
Polimom, I think Michael’s sweeping generalization is a reaction though to the fact that liberal extremists are not routinely called out by moderate liberals while the conservative extremists are always pointed out- thus leading to the persistent caricaturization.
And it does seem to me that giving the liberal extremists a pass is leading to more and more boldness, with events like this one and for another example, the breaches of privacy of Joe the Plumber (I’m no big fan of his and I think the idolization of him by some on the right is ridiculous, but it’s still appalling that his private life was used even by elected officials to try to harm his reputation, all because he had the gall to ask an uncomfortable question of a political candidate.) I realize some on the left were honest enough to criticize this, but there certainly wasn’t a unanimous smackdown of those who used that tactic to discredit him.
So, I don’t agree with the way Michael phrased this either, but I do understand where his reaction comes from.
It’s been six weeks since it was first reported that a database of online Coleman donors had been available for anyone to download. A file that stored complete credit card information of over 50,000 donors.
The problem here isn’t that wikileak decided to publish it. The problem is that anyone could get their hands on it and that at least one person did, despite what the Coleman campaign said back in January. The information that wikileak published has parts of the credit card info removed. The original does not. By not reporting this at once, in January, the Coleman campaign put their campaign before their donors.
Personally, I think wikileaks should have removed more information before publishing. But it’s a good thing that they did publish it, since that means that the donors now know that their information has been compromised so that they can take appropriate actions.
I have yet to see a conservative blogger even acknowledging the information the Coleman campaign stored and how it stored it.
Yes, PJ, quite right. And we should also expect police to break into our homes in order to prove to us that our homes’ security can be compromised. They’d only be doing us a favor, right?
C Stanley, I can’t think of a single instance where there was a unanimous smackdown of their own by either the right OR the left.
It’s disconcerting though (at least to me) to come across such pointedly one-sided hostility on a site I read because I think of it as moderate. In the past (when I was still blogging politically), I slipped with things like this now and again — and I was correctly called out for it every time.
Could I have been more gentle? No doubt. As I said to Jason — I’ll try harder next time.
C Stanley, no one broke into the home. The security wasn’t comprimised.
Do you believe downloading information from a site is against the law?
All I know is that you’re not allowed to store the CVV2.
I would really like to know what law was broken.
Um, OK, but I know you’re a reader of another ‘moderate’ site where there is pointedly one-sided hostility on a regular basis, and I don’t recall you expressing concern over it.
Look, we all see things in different measure depending on our perspective, and I’m sure I also call out the particular offenders that offend me personally rather than being even handed about it. But when I attempt to take a broader and more objective view, I can’t possibly come to the conclusion that moderate left bloggers are policing their own side to any substantial degree at all, and while some right leaning blogs don’t either, at least there are some that do.
“I don’t recall you expressing concern over it”
“Um, OK”
PJ, this article stated that the donor information was obtained by hacking, not downloading the publicly available information.
PM:
http://themoderatevoice.com/27077/2010-republicans-a-moderate-republican-platform/#comment-7144867
PJ — Prior to today, I’d only been following this story from afar (i.e.: scanning the headlines). So I’m taking your information about the non-secure site at face value. That said — you’re quite right that the Coleman campaign appears to have been grossly negligent. And were lawsuits to come of this, I wouldn’t be surprised to see them as secondary defendants.
OTOH, somebody’s lack of diligence never justifies theft. Ever. One is stupid. The other is malignant.
C Stanley:
C Stanley, the article stated is from PowerLine and while I understand that Hinderaker is very angry since his name is one of leaked ones, he’s wrong.
Read this blog entry from January.
Polimom, I totally agree that lack of diligence never justifies theft. And to my knowledge the first one to report about this didn’t download anything. But that doesn’t mean that she was the only one that found the files.
And that’s important, anyone could have downloaded the database (really a backup of it), the campaign was notified about it and reported that no one had downloaded it. It’s rather obvious that that isn’t correct. I have no idea about if they were just wrong or if they lied about it.
But for at least six weeks some people have had information about over 50,000 donors including I think at least 14,000 credit cards.
If someone wanted to hurt the Coleman campaign then there’s no need to publish those names, just pointing out that they have been comprimised is enough, since that should have meant that the campaign should have contacted everyone of those donors. But the campaign didn’t.
For some reason I think some people would have been a lot more angry if the goverment had been as negligent with this kind of information.
For some reason I think some people would have been a lot more angry if the goverment had been as negligent with this kind of information.
Well, that only makes sense because government has information that we give involuntarily, not voluntarily.
The breach of trust, if there was one, is between the donors and the Coleman campaign. They should feel angry if the website was not properly managed to mitigate privacy risk, but that doesn’t carry the same sort of risk as government not protecting our private information (because we often have no choice in opting out.)
C Stanley, you’re right about the involuntarily/voluntarily bit.
Did you check the link?
(But just because I give information voluntarily doesn’t mean that I’m going to approve that they would mishandle it like the campaign did. Especially not this kind of information.)
With there being no evidence for the site actually being hacked, the outrage over the leaked information should also include the campaign.
I checked the link briefly, I just don’t care that much to investigate it further. And I’m trying to explain why I don’t care- it’s because any outrage should be on the part of the people actually involved. I was not a donor, therefore the most that this involves me is to make note of it for future reference in checking out website security when making payments of any kind.
I’ve been the victim of check fraud in the past, for instance, but I don’t expect you to be outraged over that.
C Stanley, if you did investigate it further then you would know if the site had been hacked or not. With all the outrage about “democratic hackers” that information might be interesting for those that would want to know the whole truth…
—
About wikileaks being a left-wing group, check the wikileak page. They also got some more information about this that’s worth the read.
And about Hinderaker’s outrage, as I understand if from other blogs, his credit card information was never exposed. If that’s right, it doesn’t mean that he shouldn’t be angry, but his credit card problem isn’t due to this.
No, actually what I did read said that one side claimed it was a hacking and the other side claimed it was not a hacking because the information wasn’t behind a secure wall on the site. And I still don’t see why it would exonerate the person who sought the information if they walked into an unlocked area instead of breaking the lock on the door. Clearly a list of people’s credit card information isn’t meant to be in the public domain, even if it was inadvertantly left unprotected.
C Stanley, anyone was able to download the information, without the need for any kind of special program other than a normal browser. Since the file wasn’t marked as “Donor_CC_information.tar.gz” for instace, I doubt that anyone sought the information or new that they information contained that information.
This isn’t locked door/unlocked door. This is like someone having a garage sale on his front yard and he forgot that under a couple magazines he had put statements with his credit card information. Or that among the videotapes he had decided to sell, there’s also that special tape he made with his wife on their honeymoon, that he stupidly had kept among the other tapes for easy viewing.
Web Developer here. Just dropping in to say that politics aside, this is a shoddy website design issue, not hacking. His website got overloaded with traffic it couldn’t handle. Not lethal on its own. But the preprocessor for the pages broke down under the weight, while the server itself kept going. So, instead of handling the pages, it dumped users to a directory.
That directory had two files, sitting alone, out in the open. This should never have happened. On the computer, there is a folder assigned to storing web content. All pages are served from here. Sensitive data should never be stored there, and data dumps of customer files have no place there.
Based on the second file’s name, extract_emails.php, the point was to use the php script to extract the emails from the database. In this case, the solution would be to have the php script be publically accessible, but have it read from a file located outside the public directory. That’s all it would have taken to solve this problem. But the guy who made the webpage handled it badly, and Coleman probably didn’t even know it was going down.
If the guy you hired to build your site made a mistake like this, chances are you probably know even less than he does, which would be nothing. Giving the coder access to that db in the first place was a mistake. Claiming the file was never downloaded was a lie, which i consider a mistake. Storing unencrypted cc numbers is a mistake. Storing CVV2 numbers is not allowed, period.
I can fault Coleman for the lying (or maybe the team which investigated the breach was as incompetent as the web developer?). Unless they explicitly disabled logging, webservers record every request made to the page, regardless of outcome. Searching for a request on that specific file would be trivial. Was Coleman lying, or the investigators just fools? Who knows?
A lot of these issues might appear to be malicious acts by Coleman, but from my viewpoint, look like absolute disaster errors from a rookie web developer who went in to this with no understanding of how web servers even work, and no respect for the sensitivity of the data he was provided.
It wasn’t hacking though. Just to be absolutely clear. Call people out when they make mistakes, but do not spread disinformation. Do not let honesty be a casualty of your agenda.