Coleman donor data breached in January, but donors alerted by Wikileaks not campaign

Norm Coleman's public site contained sensitive data information, and the data was breached in January but the campaign didn't tell anyone except authorities until now.
Written by Richard Koman, Contributor
Donors to Minnesota Senator Norm Coleman's campaign got a rude awakening this week, thanks to an email from Wikileaks. Coleman's campaign was keeping donor information in an unprotected database that contained names, addresses, emails, credit card numbers and those three-digit codes on the back of cards, Wikileaks told donors in an email. Want proof? Here's the Excel spreadsheet of donor data.

According to the Hill, Wikileaks told donors:

"We have discovered that all on-line Coleman contributors had their full credit card details released onto the Internet on 28 of [January], 2009, by Coleman's staff."

The Minnesota Independent adds that Wikileaks pointed out that if the campaign knew of the leak and failed to alert donors immediately, there has been a violation of state law. Minnesota statute 325E.61 states:

(a) Any person or business that conducts business in this state, and that owns or licenses data that includes personal information, shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of this state whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in paragraph (c), or with any measures necessary to determine the scope of the breach, identify the individuals affected, and restore the reasonable integrity of the data system.

(b) Any person or business that maintains data that includes personal information that the person or business does not own shall notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

(c)The notification required by this section and section 13.055, subdivision 6, may be delayed to a date certain if a law enforcement agency affirmatively determines that the notification will impede a criminal investigation.

Coleman's campaign sent out an email early this morning stating that there was no unauthorized download. Campaign manager Cullen Sheehan wrote:

We contacted federal authorities at that time, and they reviewed logs from the server in question as well as additional firewall logs. They indicated that, after reviewing those logs, they did not find evidence that our database was downloaded by any unauthorized party.

Let me be very clear: At this point, we don't know if last evening's e-mail is a political dirty trick or what the objective is of the person who sent the e-mail.

What we do know, however, is that there is a strong likelihood that these individuals have found a way to breach private and confidential information.

Editorial standards