Your Business Security Guide has no interest in taking political sides on this issue; that task will be willingly shouldered by an army of bloggers and reporters from left to right. However, I will continue to follow this story from a security standpoint, as it raises some interesting, critical issues about security, law, and ethics. To bring you up to date, here is a quick review of the situation as it now stands.
Norm Coleman: Former Minnesota Senator, currently embroiled in a legal battle over his apparent photo finish election loss to Al Franken.
Adria Richards: IT pro who exposed an unprotected donor data base stored on Norm Coleman's website. But says she did not download any information.
Wikileaks: A website devoted to "untraceable mass document leaking," which posted a copy of the donor database on its website (with credit card numbers partially removed).
On-line Donors to Coleman's Campaign: The big losers in this story. 4,700 of them have had their financial data strewn around the Internet since January.
The Story So Far ...
January 28: The Norm Coleman campaign reports a website crash. They claim that a spike in traffic, caused by a rush of voters seeking information about the contested election, brought the site to its knees.
On the same day, IT consultant Adria Richards, suspicious that the crash may have been faked, pokes around the Coleman website for information. She claims to have reached an unprotected database through her web browser. To substantiate her claims she captures screen shots of the directory and posts them to her blog and Flickr page. She maintains that she did not download any information from the site.
Meanwhile, the Coleman campaign suspects that their website has been hacked, and initiates an investigation. They claim to find no evidence of files being downloaded, and decide not to alert anyone on their donor list.
March 10: Coleman donors receive emails from Wikileaks, telling them that
“We have discovered that all on-line Coleman contributors had their full credit card details released onto the Internet on 28 of [January], 2009, by Coleman’s staff.”
They further allege that the Coleman campaign knew about the leak, but failed to act.
March 11: In an email, Campaign Manager Cullen Sheehan responds as follows:
"We contacted federal authorities at that time, and they reviewed logs from the server in question as well as additional firewall logs. They indicated that, after reviewing those logs, they did not find evidence that our database was downloaded by any unauthorized party.
Let me be very clear: At this point, we don’t know if last evening’s e-mail is a political dirty trick or what the objective is of the person who sent the e-mail.
What we do know, however, is that there is a strong likelihood that these individuals have found a way to breach private and confidential information."
The Moral of the Story (So Far ...)
Nothing is private on the Internet.