(Originally published on my Infrasupport blog on April 7, 2013. I back-dated the posting here.)
This story is personal. It is one of the best examples I’ve seen where poor IT security practices and the physical world collide and leave a trail of destruction.
Way back in 2006, I registered my name with the Norm Coleman for Senate campaign. Although the US Senate election was two years away, I felt kind of like an insider when the Coleman campaign sent me email updates. Fortunately for me, I never gave the campaign a credit card number.
The 2008 Minnesota Senate election between Norm Coleman and Al Franken was too close to call. There were recounts, court challenges, and recounts of recounted recounts. Franken eventually won by a few dozen votes.
This is where it gets personal.
On March 10, 2009, I received this email, reproduced below with original spelling errors:
From: Wikileaks Press Office [mailto:firstname.lastname@example.org] Sent: Tuesday, March 10, 2009 9:29 PM To: undisclosed-recipients Subject: Norm Coleman leak
Senator Norm Coleman supporter / contributor list leaked.
Your name, address and other details appear on a membership list leaked to us from the Norm Coleman Senate campaign.
If you have contributed financially to the Coleman campaign there are additional details.
We understand that Norm Coleman became aware of the leak in January.
The information has been passed around out of public view.
We have sent you this note as a curtesy in case Norm Coleman has not contacted you previously.
We have not released the material yet, but may do so within the next few days.
In line with our policy of completely neturality for whistleblowers and political sources, the material will be treated impartially. We support all those who engage in the struggle for political reform and wish you well.
For additional details, see: [Web links in the remainder of the email are no longer any good]
Apparently, my name and email address were now in the public domain because I filled out a web form on the Coleman for Senate website. Not a big deal for me – I’m already on several spam lists anyway. But information about all of Coleman’s online donors was also in the public domain, including credit card numbers and security codes. This was a big deal.
Apparently, after the election and during one of the many recount challenges in January, 2009, the Coleman campaign decided to move its website.
Unfortunately, the campaign left a copy of its website content at the old hosting site, wide open for the whole world to see. One of the files was an unencrypted spreadsheet listing donor contact information, credit card numbers, and security codes. This is a wildly reckless violation of security best practices and PCI (Payment Card Industry) rules. Credit card information should never be stored on the same system as a public facing website. If the website is breached, the credit card information is also at risk. This data should reside in a back end database server with carefully crafted access controls, putting another line of defense between this sensitive information and potential thieves. And as a final line of defense, credit card information should always be encrypted, which at least makes it difficult for data thieves to exploit.
Organizations storing donor or customer sensitive information have an almost sacred duty to protect that information. After all, these are the people who fund and trust the organization. With its amateur approach to security, the Coleman campaign demonstrated a reckless disrespect for its own donors’ trust and paid dearly for it.
Adria Richards, an IT consultant specializing in website security, found the old website content, took a screenshot of what she found, and posted the screenshot on her blog. Here is the only remaining evidence I can find of Richards’ blog, and here is a PDF copy in case the web link goes bad. The Minnesota Independent published an article on January 28 2009 about the incident. Here is the article and here is a PDF copy.
While Richards’ detective work is admirable, she should have notified the Coleman campaign first, before publicizing the problem. Her failure to contact the campaign before publicizing her findings violated an ethical best practice.
Sometime between January 28 and early March, 2009, Wikileaks obtained a copy of the spreadsheet, and that led to the email I found in my inbox when I woke up the morning of March 10. The public reaction came fast and furious. Here is another Minnesota Independent article and PDF copy. Here is a Computerworld article and PDF copy. And here is a Minnesota Independent article and PDF copy with donor reactions. Predictably, donors were upset and at least one donor reported being victimized by credit card fraud.
For the next few days, the story saturated Minnesota TV and print media. Although the Coleman campaign tried to defend itself in the press, it ended up with a major public relations black eye as the campaign alienated its own donors and supporters.
Coleman eventually lost the recount battle in one of the closest US Senate elections in United States history. In early 2013, Coleman floated the idea of trying a rematch against Franken in the 2014 election. A few days later, Coleman announced he would not run in 2014.
I wonder how much Coleman’s poor IT security practices hurt his political career? After studying this incident and Coleman’s bungled reaction, I know I don’t want Norm Coleman representing me in the US Senate or anywhere else. I have a hunch many others feel the same way.