Thursday, March 12, 2009
Norm Coleman Remains Dickish
There are lots of good reasons to justify calling Norm Coleman a dick. His policy stances. The current investigations into his alleged wrongdoings. The horrible advertisements he ran during his campaign. His egomaniacal contesting of the Minnesota election results.
From a data security perspective, this takes the cake - Norm breached the personal and credit card information of his donors on his website back in January, and is only now getting around to letting people know that it would probably be a good idea to cancel those credit cards.
Norm has been trying to spin this as a "hacker" incident, which it isn't. He screwed the pooch, plain and simple - the information was housed in a database, unencrypted or otherwise protected, on a public web site, where it was discovered and eventually posted on the WikiLeaks site.
Standard practice is to never host sensitive data like credit card information on the same physical or virtual server as the web server - for obvious reasons. PCI guidelines call this out clearly, while recommending that the sensitive data be encrypted or otherwise controlled so that even if someone was able to get access to it, it would be worthless without knowing the keys or associated algorithms.
Still to be determined is whether Minnesota data breach laws were broken, given the fact that the incident took place in January and affected donors are only now being made aware of the breach.
Fingers are being pointed by the Coleman camp at a third party provider, which shouldn't give them much cover, as organizations are accountable for ensuring that third parties have adequate security and controls in place.
The truly dickish move? On the breach FAQ section of Coleman's site, there's actually a solicitation for a donation. Gotta hand it to Coleman. If you're going to be a dick, be a big one.