From WikiLeaks

March 11, 2009

WikiLeaks Press Releases

Coleman leak update

By Staff

WIKILEAKS PRESS RELEASE

Wed Mar 12 11:39:23 GMT 2009

Many of you have had questions in relation to the Coleman database leak. Wikileaks can not reply to all inquiries individually, so we have prepared what we hope will be answers suitable for everyone:

1) Wikileaks is a non-partisan public service:

Wikileaks is an international public service primarily based out of Stockholm, Nairobi and Washington.

Wikileaks protects confidential sources trying to get information to the press and journalists who have been censored. We protect all our sources under the Swedish Press Freedom Act, which provides criminal sanctions against those attempting to breach source-journalist confidentiality. We are also personally bound by this law as are all our contractors.

Wikileaks protects sources regardless of country or political alignment. In practice, most of our work is related to human rights violations, corruption and preventing censorship. We are banned in the United Arab Emirates and China.

We don't just talk about neutrality--we practice it. Many of you have asked whether we would publish similar material from the Democrats. The answer is yes. All documents that fit our simple, transparent guidelines are released to the public.

We are non-partisan and have published many documents considered to be supportive of Republican interests that have become major news items.

Examples:

If you have confidential or censored documents on a matter of political, diplomatic, ethical or historical importance you can be confident that we will protect you.

For more information about our work, including contact details in various cities, see:

For secure access:

2) Coleman released full credit details, but Wikileaks did not.

Although the Coleman database contains full credit card numbers, security numbers and all personal necessary details needed to make a transaction. Wikileaks did not release these. Wikileaks released the last 4 digits and the security numbers only, and then only after notifying those concerned:

A number of people tried to raise the issue back in January, without releasing any information at all. There was no response from the Coleman Campaign and the material had been "floating around" the Internet for at least six weeks.

Please try to avoid the quite natural desire to shoot the messenger.

Coleman supporters only know about the issue because of our work. Had it been up to Senator Coleman, they would never have known.

As part of our public benefit maximization strategy, we privately contact concerned parties before releasing a major leak. That is why we contacted Coleman supporters directly. We would have liked donors to have had several days to digest the findings in private, but Senator Coleman decided to publicly "spin" the issue, including denying that any leak had occurred, forcing us to respond.

References:

3) The database was made public by the Coleman Campaign.

There was no "hack".

The database was made publicly available for a short period of time by Coleman staff as http://colemanforsenate.com/db/database.tar.gz on Jan 28 and possibly other days.

This is clearly due to sloppy handling by the Coleman Campaign.

References: Several articles from January 28-30

This updated article is the most approachable:

Attempts by the Coleman Campaign to blame others, rather than just admitting fault and getting on with it are to be condemned.

4) By Law, the Coleman Campaign should never have stored donors' security details

The idea behind "back of the card" security numbers is that they are never to be stored but only used to authenticate the transaction at the time it is made.

The Coleman Campaign stored "back of the card" security numbers for donors. This is both illegal under Minnesota law, which requires their destruction within 48 hours, and a breach of the contract credit card companies demand.

References:

Minnesota Law H.F. 1758: Subd. 2. Security or identification information; retention prohibited. No person or entity conducting business in Minnesota that accepts an access device in connection with a transaction shall retain the card security code data, the PIN verification code number, or the full contents of any track of magnetic stripe data, subsequent to the authorization of the transaction or in the case of a PIN debit transaction, subsequent to 48 hours after authorization of the transaction. A person or entity is in violation of this section if its service provider retains such data subsequent to the authorization of the transaction or in the case of a PIN debit transaction, subsequent to 48 hours after authorization of the transaction.

The full Law: * https://www.revisor.leg.state.mn.us/bin/getpub.php?type=law&year=2007&sn=0&num=108

Related article: http://www.twincities.com/allheadlines/ci_11891772

Because the Coleman Campaign violated these standards it may be liable for any associated fraud.

5) By Law, the Coleman Campaign should have notified notified donors

Although aware of the public exposure of the data since January, the Coleman Campaign did nothing to notify donors, in violation Minnesota law.

References:

Section (3), as stated above, showing that the Coleman Campaign had been informed in January, that the information was public and that it had been downloaded. For instance:

Update 5:40pm 1/29/2009 Stay tuned for video posting from the 1/29/2009 lifestream: * why the database was available * what it contained * how website developers and companies can work to prevent this from happening * and take questions from viewers Update 11:11pm 1/29/2009 Current rumors The database contains social security numbers The database contains credit card information (POST data)

Recent statements by the Coleman Campaign showing they were aware of the exposure at the time.

Minnesota Statute 325E.61 "Notice Required for Certain Disclosures".

Subdivision 1.Disclosure of personal information; notice required.

(a) Any person or business that conducts business in this state, and that owns or licenses data that includes personal information, shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of this state whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure must be made in the most expedient time possible and without unreasonable delay,

The full Law: * https://www.revisor.leg.state.mn.us/statutes/?id=325E.61

"The Big Bad Database of Senator Norm Coleman"

By Staff

WIKILEAKS PRESS RELEASE

Wed Mar 11 13:00:43 GMT 2009

Senator Norm Coleman, explaining

Wikileaks has released detailed lists of the controversial Republican Senator Norm Coleman's supporters and donors. Some 51,000 individuals are represented.

Although politically interesting in their own right, the lists, which are part of an enormous 4.3Gb database leak from the Coleman campaign, provide proof to the rumors that sensitive information--including thousands of supporter's credit card numbers--were put onto the Internet on January 28 as a result of sloppy handling.

Senator Coleman collected detailed information on every supporter and website visitor and retained unencrypted credit card information from donors, including their security codes. Although made aware of the leak in January, Senator Coleman kept the breach secret, failing to inform contributors, in violation of Minnesota Statute 325E.61.

The statute states that organizations that become aware of such a disclosure of sensitive unencrypted personal information must notify the individuals concerned "in the most expedient time possible and without unreasonable delay" and "immediately following discovery."

The information circulated on the Internet for six weeks before a warning was sent by Wikileaks to those affected, pending its analysis of the material.

Yesterday Wikileaks sent two notifications to Coleman's supporters as a courtesy prior to releasing a subset of the data.

Today Senator Coleman's Campaign manager Cullen Sheehan tried to spin the issue, claiming somewhat fantastically that no data had been downloaded, that the culprits would be caught and that all donors should cancel their credit cards. No apology was made for the initial leak or its cover up.

In response Wikileaks has had to bring forward its public announcement. The open government group has released two files, a detailed list of 4,721 on-line donors with the last four digits of their credit cards as proof and a list of some 51,641 supporters. The full database comprises over 30 tables of information, including personal details, full credit card numbers, passwords and "back of card" security numbers.

Wikileaks will release other material from the extensive Coleman database once those affected have time to be informed.

The initial whistleblower letter to Wikileaks stated:

TO WIKILEAKS / TO WHOM IT MAY CONCERN / TO INTERESTED MEDIA: The attached files comprise a snapshot of the website database of the Norm Coleman campaign as of January 28, 2009. The database was exposed by the incompetence of Coleman's website personnel, making the information public for a period of time. The fact that this database was improperly exposed by Norm Coleman's own staff, can be verified here: http://butyoureagirl.com/2009/01/28/did-norm-coleman-fake-his-own-website-death/ and http://www.politicsinminnesota.com/2009/jan30/1770/epic-recount-website-fail-one-dot-one-dot-one-dot-one That said, I feel it is very important that the actual database be provided to a trusted media liaison, for several reasons: A) The Coleman campaign's effort to impugn the election processes in the State of Minnesota have gone beyond mere political rigor into partisan malfeasance of the sort that has plagued this country for the past eight years, to the benefit of nobody and the great detriment of the citizens of this State; B) The Coleman campaign has illegally collected personal financial details of its donors, in the form of unencrypted credit card numbers, without reporting this as required in the Minnesota Government Data Practices Act (under which citizens are entitled to such notification for each significant unit of data stored); C) The Coleman campaign's incompetence in managing said personal information has lead to the release of this information to the Internet at large, potentially exposing the donors to fraud, identity theft, financial harm and potential political persecution; D) The citizens and donors have a right to know that their personal information was exposed; E) Notification to users of such exposure of personal information is also required under the Minnesota Government Data Practices Act: https://www.revisor.leg.state.mn.us/statutes/?id=325E.61 however the Coleman campaign has made no attempt to contact their supporters over the issue, despite being made aware of it, and despite the database floating around the Internet. F) The failure of the Coleman campaign to faithfully disclose the above to the citizens of the State of Minnesota will result in further such indiscretions by its elected officials by fostering an atmosphere of impunity in matters of campaign finance and personal data privacy. G) The public has a right to know.

Source documents

Additional press and internet media coverage

WikiLeaks notifying mails to Coleman supporters

On Tuesday 10th and early Wednesday 11th of March 2009, WikiLeaks informed the supporters listed in Norm Coleman's database about the security breach and that the information will be released online.

As with other cases of mass disclosure, like the BNP membership list, WikiLeaks is sending out notifications to victims of security breaches to ensure they become aware of the leak and can act up on it.

While Norm Coleman and his campaign team were aware of the breach back in January, and the lists had circulated for months on the Internet and various file-sharing portals, they decided not to inform their supporters, which while being plain disrespectful, also violates Minnesota Statute 325E.61.

Subject: Norm Coleman leak Sent: Tuesday, March 10, 2009 7:29 PM Senator Norm Coleman supporter / contributor list leaked. Your name, address and other details appear on a membership list leaked to us from the Norm Coleman Senate campaign. If you have contributed financially to the Coleman campaign there are additional details. We understand that Norm Coleman became aware of the leak in January. The information has been passed around out of public view. We have sent you this note as a courtesy in case Norm Coleman has not contacted you previously. We have not released the material yet, but may do so within the next few days. In line with our policy of completely neutrality for whistleblowers and political sources, the material will be treated impartially. We support all those who engage in the struggle for political reform and wish you well. For additional details, see: http://wikileaks.org/ http://news.google.com/news?ned=us&hl=en&q=wikileaks&scoring=n&nolr=1

Subject: Re: Norm Coleman leak (update) Sent: Wednesday, March 11, 2009 12:31 AM Following our earlier email over the Coleman leak, we have discovered that all on-line Coleman contributors had their full credit card details released onto the Internet on 28 of Jan, 2009 by Coleman's staff. Senator Coleman was made aware of this yet elected not to inform supporters in violation of Minnesota Statute 325E.61: https://www.revisor.leg.state.mn.us/statutes/?id=325E.61 We provide proof of here (Windows Excel spreadsheet), which if you are a contributor will provide the last 4 digits of your Credit card and the security numbers on the back. Please check: http://wikileaks.org/leak/coleman-contributions-2009.xls Since the database has been floating around the internet, we suggest you call your bank and cancel the card. However if you are one of our supporters and appreciate this warning don't forget to donate to Wikileaks (Sunshine Press) first! For additional details, see: https://secure.wikileaks.org/

Coleman Campaign "spin" letter to supporters

Wed 11 Mar 2009 from the Cullen Sheehan, Coleman Campaign Manager to response to a pre-release courtesy note sent to Coleman supporters by Wikileaks informing them of the upcoming publication. Nearly all of the Sheehan claims are false or "spin".

Dear Supporter, Last evening, we began receiving emails and phone calls from donors - and non-donors - who reported receiving messages from an email address: press-office@wikileaks.org stating that they possessed information about the individual and were threatening to post that information online. We immediately contacted the appropriate federal law enforcement authorities and they are aggressively investigating this matter. We take the privacy and confidentiality of our donors and supporters extremely seriously. In January, an event occurred that made us fearful that our firewalls might have been breached.? We contacted federal authorities at that time, and they reviewed logs from the server in question as well as additional firewall logs.? They indicated that, after reviewing those logs, they did not find evidence that our database was downloaded by any unauthorized party. Let me be very clear:? At this point, we don't know if last evening's email is a political dirty trick or what the objective is of the person who sent the email. What we do know, however, is that there is a strong likelihood that these individuals have found a way to breach private and confidential information. But because of this uncertainty, and out of an abundance of caution, we have begun contacting our supporters to provide them with as much information as we currently have available. Given the nature of this threat, if you have concerns about whether or not your credit card that was used to make a donation to the campaign has been compromised, we encourage ou to contact your credit card company to cancel the card.? If you have any questions, please contact us at the Coleman for Senate Campaign at (651) 645-0766. All of our donors and supporters should be assured that our campaign will work with all appropriate federal and state law enforcement agencies to take all appropriate legal action to identify the individual or individuals who may be involved in this matter and to pursue all appropriate legal action against them. Sincerely, Cullen Sheehan Campaign Manager

Online contribution spectrum

$754,215.55 in total, covering 19 Mar 2008 to 6 Jan 2009:

+------------+----------+ ; dollars | count | +------------+----------+ ; 0.01 | 1 | ; 1.00 | 1 | ; 3.00 | 1 | ; 4.00 | 1 | ; 4.50 | 1 | ; 5.00 | 31 | ; 5.55 | 1 | ; 6.00 | 1 | ; 10.00 | 128 | ; 10.50 | 1 | ; 12.00 | 4 | ; 15.00 | 82 | ; 17.00 | 1 | ; 18.00 | 5 | ; 19.00 | 1 | ; 19.57 | 1 | ; 20.00 | 62 | ; 20.08 | 1 | ; 22.00 | 2 | ; 23.00 | 2 | ; 24.50 | 1 | ; 25.00 | 1210 | ; 25.42 | 1 | ; 27.00 | 1 | ; 28.00 | 1 | ; 30.00 | 29 | ; 33.00 | 2 | ; 35.00 | 37 | ; 36.00 | 2 | ; 40.00 | 18 | ; 45.00 | 1 | ; 50.00 | 1155 | ; 54.00 | 1 | ; 55.00 | 4 | ; 60.00 | 5 | ; 75.00 | 54 | ; 83.00 | 1 | ; 85.00 | 1 | ; 99.00 | 1 | ; 100.00 | 1092 | ; 100.42 | 1 | ; 108.00 | 1 | ; 110.00 | 1 | ; 112.00 | 1 | ; 121.00 | 1 | ; 125.00 | 5 | ; 150.00 | 34 | ; 175.00 | 2 | ; 180.00 | 1 | ; 199.00 | 7 | ; 199.50 | 2 | ; 200.00 | 123 | ; 205.00 | 2 | ; 250.00 | 139 | ; 300.00 | 22 | ; 400.00 | 4 | ; 500.00 | 190 | ; 700.00 | 1 | ; 750.00 | 4 | ; 900.00 | 1 | ; 1000.00 | 112 | ; 1200.00 | 4 | ; 1300.00 | 8 | ; 1500.00 | 5 | ; 1600.00 | 1 | ; 1900.00 | 1 | ; 2000.00 | 12 | ; 2050.00 | 1 | ; 2100.00 | 2 | ; 2300.00 | 79 | ; 4600.00 | 4 | +------------+----------+

Description of the tables in the 4300Mb Coleman database

You will need a technician familiar with 'mysql' to put the database into politically salient form. The following tables descriptions are in alphabetical order, not order of importance:

404 A list of errors on the website since early 2008. On a major website, this can be a lot. It is a questionable practice to store 404 errors in a database, though. Contains some personal information, investigate further.

admin_user Administrative usernames and passwords for (assumption) changing blog entries.

announcement_dinner_host Empty

blog_post All blog entries on the site. Investigate further; may contain drafts or incomplete entries

blog_post_comment Comments for blog entries. Investigate further; may contain moderated or proof that the Campaign made their own comments.

blog_post_views View counts for each blog entry. The most viewed is the green screen issue, but it might be interesting to chart that out. Investigate further about the least viewed entries, as they may be further indications of erroneous or incomplete entries

cell_provider Information on SMS providers for distributing campaign messages.

content_about Content management for the website. The website's HTML is stored here.

content_normtv Content management for the website.

content_quicklinks Content management for the website.

content_sprout Content management for the website.

content_stayconnected Content management for the website.

contribution Contains campaign contribution information. Unique ID number, first name, last name, city, state, zip, phone, e-mail, employer, title, type of credit card used, name on card, last four of credit card, CVV2 value of the card, donation amount, authorization code from credit card processor, AVS (address verification) match, and a timestamp.

county_posts A list of links to county pages on the MN SOS page, related to the recount.

endorsement A list of endorsements and quotes from newspapers. Further investigation; might contain endorsements that didn't actually happen since there's a 0/1 switch to enable or disable an endorsement from going online.

featured_items Content management for the pretty flash thing in the middle of the site.

friend Looks like it harvests e-mail addresses from when people use the "send to a friend" feature.

gotv A log of constituent contact information (name, address, city, state, zip, phones, e-mail) and results from specific days and shifts of phone calling, door-knocking and poll-watching.

inthenews Articles about the campaign for the "in the news section." Further investigation. Also contains timestamps and the username of the staff member posting it.

issue Content management for issue statements on the website.

loadtime Stores significant information about web views, including user agents and IP addresses. ALSO CONTAINS ALL POST DATA -- THIS INCLUDES UNENCRYPTED CREDIT CARD INFORMATION

menubar_links Content management. Header links.

norm_alert_message Very short messages, assuming to be sent out via text message. Further investigation.

norm_alert_message_recipient A log of when texts were sent to who, and I think it references user ID numbers found in another table, and that's where cell phones are stored.

norm_alert_user The coleman team alert SMS contacts. Around 500 users. User ID number, first and last name, e-mail, zip, cell number and identification of their provider. Timestamps, too.

partner Content management relating to partners? Investigate further.

postcard More e-mails from sending something to a friend.

pressrelease A list of all of the campaign's press releases. Investigate further for changes, incomplete releases.

stomp Not sure what it is, but it has people's first and last names, city, county, phone and e-mail.

truth Content management for the site's "truth" section.

truth_views View counts of the site's "truth" stories.

user Website or targeted users and constituents, and information relating to the source of the data. Contains unique numbers, first/last, address, city, state and zip, county, phone, gender, voter registration status, comments, e-mail, e-mail newsletter bounce information, creation and modification timestamps, volunteer status, if they are in college, donation information and passwords.

video Content management for website videos.

video_category Content management for website video categories.

volunteer_option Ways people can volunteer, such as going door-to-door.