Coleman warns donors after data breach

Coleman sues over recount
Republican Norm Coleman at a recent news conference in St. Paul. Authorities are investigating a possible breach of Coleman's campaign contributors' personal data.
MPR Photo/Curtis Gilbert

The organization Wikileaks sent e-mails to addresses from the Coleman campaign's database, saying the campaign had compromised information about its supporters.

The organization is linking to detailed lists of more than 4,700 of Coleman's online donors, which include the last four digits of their credit card numbers and their three-digit security codes.

Wikileaks is also linking to a list of more than 50,000 Coleman supporters.

"We started getting e-mails last night," said Coleman campaign attorney Fritz Knaak.

Grow the Future of Public Media

MPR News is supported by Members. Gifts from individuals power everything you find here. Make a gift of any amount today to become a Member!

Knaak says officials are still trying to figure out what's going on, but it appears thousands of donors may have had their credit card information compromised.

"It's like putting your filing cabinet outside of your house."

"We know that somebody out there is trying engage in some sort of mischief, but at this point, obviously we're being extremely cautious," said Knaak. "The appropriate investigative authorities are being very aggressive in pursuing this matter, and we intend to get to the bottom of it right away."

Coleman continues to solicit money to pay bills from his lawsuit challenging Democrat Al Franken's 225-vote lead following a statewide recount from their Nov. 4 race. A special court is nearing the end of a lengthy trial, but costly appeals could follow.

Coleman said this afternoon that the situation is frightening and chilling.

"It is obviously an attack on this campaign. But beyond that just in terms of the campaign and the effort we're involved in -- a very expensive legal proceeding -- online fundraising is a very critical element of that," said Coleman. "Clearly the theft of this information, the publication of this information seriously undermines that."

Earlier this year, the Coleman campaign was in the news for an alleged data breach. The allegation was the campaign had faked a crash of its Web site to give the impression its site had been overwhelmed by visitors. The campaign maintains the crash was real.

Adria Richards, a Minneapolis-based technology consultant, said she read in January about the supposed breach of Coleman's site and went there herself out of curiosity.

She says she found what appeared to be volumes of easily accessible data.

"It's like putting your filing cabinet outside of your house," said Richards.

Richards claims she did not hack Coleman's Web site, but instead essentially peaked into an open doorway.

"When you make a backup of your data, you should not store the backup in the Web site directory. You should store it ... one level up," said Richards. "That was the biggest mistake they made. If they were doing regular backups to the Web site. it should have been done one level up. Because then that way if you take out all of the files, like they did for whatever reason, someone can't browse and find your backups."

Richards says she never downloaded anything, but did click some screen shots which she says she posted on her blog to demonstrate the security lapse.

Fritz Knaak from the Coleman campaign says in response to numerous blogs earlier this year, law enforcement agencies, including the Secret Service, thoroughly checked the campaign's computers. Knaak says the officials determined there had been no unauthorized data downloads.

"That response by the campaign makes no sense," said computer security expert Bruce Schneier.

Schneier says no one can legitimately make such a data security claim.

"There's no way that anyone can go through the network and say definitively that nobody accessed the data. That's just ridiculous," said Schneier. "So either they misunderstood what the feds told them, or they're just lying to the press."

Schneier says government and businesses commonly compromise data, and that Coleman's apparent problem, while regrettable, is nothing new.

He advises people who fear their data may have been made public to do nothing apart from closely monitoring their credit card information.

Coleman attorney Fritz Knaak insists the Web site was attacked, and he says he believes a federal crime has been committed.

Knaak is urging anyone who used a credit card to donate to the Coleman campaign to cancel the card.

"There's some kind of list out there, there's some kind information out there and we want to be very cautious."

Wikileaks casts itself as an outlet for "untraceable mass document leaking and analysis," with a focus on exposing oppressive regimes worldwide and unethical behavior in corporations and government.

The group's Web site includes details for 51,641 Coleman contacts, including volunteers, reporters and rallygoers. The group said it would release other information "once those affected have time to be informed."

Jay Lim, a spokesman for Wikileaks, wrote in an e-mail to The Associated Press that "Senator Coleman should not have kept this information in the first instance. "Secondly, his team should not have released the information out onto the open Internet for anyone to download," Lim wrote. "Finally, he should have informed those concerned. He was given plenty of opportunity to do so. We shouldn't have had to do it for him."

Knaak said it's unclear whether Wikileaks had a hand in shaking the information loose or was merely a conduit for disseminating it. He said the campaign doeesn't believe it came from an insider.

Whatever the case, Knaak warned that the data release wouldn't be taken lightly.

"If somebody did this as a lark to see what would happen, they just bought themselves a ton of trouble," he said.