No place for a spin room when it comes to data breaches

March 13, 2009
Was the campaign for Sen. Norm Coleman, R-Minn., serious when it tried to throw around a bunch of fancy security technology jargon and emotion-provoking adjectives in the wake of its data breach revelation?

Based on a statement from the campaign and the senator himself  (who reportedly used words like "chilling" and "frightening" to describe the attacks), you might think the campaign was the target of some sophisticated hacker attack. And, I guess that's believable, considering Coleman is locked in a nasty legal battle with Al Franken over who won November's election.

(Franken is all but assured the seat, once the mess is sorted out).

But this data-loss incident was anything but "chilling" or "frightening" or the subject of a breached firewall or any other complicated compromise, as the campaign suggested in a statement. Instead, it was an IT consultant who randomly stumbled upon a spreadsheet -- sitting publicly available on the web -- and containing Coleman donors' credit card records.

From the Minneapolis Star-Tribune:
One of the first to discover the exposed database was Adria Richards, a Minneapolis freelance technical consultant. Richards checked the Coleman site on the night of Jan. 28 after getting reports that heavy traffic had crashed it; less than two minutes of poking with her browser put her into the database, she said. "A third-grader could have done it," she said.

Third-graders don't know how to breach firewalls, but they certainly know how to type a URL into an address bar and find a document that shouldn't be publicly viewable on the web.

Shame on you, Coleman campaign for trying to spin this like some big-bad hacker infiltrated your database.

And while we're at it, the campaign should also be sorry for not alerting the victims sooner.

Maybe they were doing a recount, hoping the number wasn't really 4,700.
prestitial ad