Coleman Donor Database Story Debunked

By Noah Kunin, Senior Political Correspondent

On January 28th 2009, the index for colemanforsenate.com was open publicly for several hours.  Within the index was a database of individuals who had contributed to the Coleman for Senate campaign.  It went back to March 2008.  This database was accessed by many known individuals and an unknown number of unknown individuals. 

(photo from Adria Richards)

Under Minnesota Statute 325E.61, in these circumstances the Coleman for Senate campaign was required to disclose to these donors that their data was leaked onto the internet.  It appears the Coleman campaign did not follow the statute because a "probe" conducted by the Secret Service and the Bureau of Criminal Apprehension , informed Coleman staff that no inappropriate access took place.  The above imagery proves this is false. 

UPDATED 1:49PM, 3/12/09: Moreover, the Payment Card Industry Council prohibts the actual storage of any of this information in an unencrypted state.  The database also incldued the 3-digit security code listed on the back of credit and debit cards.  This information is not to be stored in any permaement way after the transaction is completed, according to e-commerce standards.  Additionally, this is prohibited by Minnesota Statute 325E.64: (emphasis added)

For more information on this aspect of the story, consult this Pioneer Press article by Dave Orrick.

The very contention that no one downloaded the database once the index was open is impossible.  As computer security expert Bruce Schneier told Minnesota Public Radio: (emphasis added)

Indeed.  Schneier left out one possibility.  The Coleman campaign, in desiring to avoid public embarrassment in January, gave falsified server logs to federal authorities.

Regardless, yesterday Wikileaks.org re-released the database and emailed all the donors whose information had been released in January. Wikileaks staff felt the release was urgent and necessary since Coleman's campaign had not notified the donors themselves. 

UPDATE 11:32AM, 3/12/09:  Minnesota Public Radio, via The Associated Press is printing the following statement from Jay Lim, spokesman for Wikileaks.org:(emphasis added)

It appears some financial institutions took it upon themselves to investigate the unauthorized release of data.  Andy Apilkowski, a longtime Republican, wrote on his blog Residual Forces that Wikileaks.org and the Coleman Campaign emailed him Tuesday that his credit card information had been included in the leak.  Apilkowski says that explains why his bank had notified him that his debit card had been involved in a security breach and they were sending him a new one - two weeks ago!

If the initial Coleman probe concluded that no one downloaded the donor database, why did a bank preemptively cancel a donor's debit card?

UPDATE 11:14AM, 3/12/09: An astute UpTake reader brings up another possibilty regarding the case of Apilkowski.  Apilkowski's bank may have been investigating the Heartland Payment Systems security breach incident.  News regarding the incident broke the same month as the Coleman database release. This security breach may be the "largest ever" according to the Washington Post.

UPDATE2 10:06AM, 3/12/09: Here, technology consultant Adria Richards explains how she discovered the Coleman database had been released: