Online donors' data breached: Conservatives

The Conservative party confirmed Wednesday that the names and addresses of online donors were taken when one of its databases was hacked.

Hacker account that touted Harper hoax posts names, emails online

The Conservative Party confirmed Wednesday a database that contains the personal information of donors, including credit card numbers, was hacked.

The acknowledgment came several hours after a Twitter account that claimed to have hacked the Conservative Party website this week suggested it also hacked a party database, and posted online names and emails it said were from that database.

Fred DeLorey, the party's communications director, issued a statement that said names, personal addresses and email addresses of people who had donated online to the Conservatives had been lifted from the database.

"In some instances the first four and last four digits of the credit card were taken, but no useful credit card information was taken and our internal database was not hacked," DeLorey said.

In an email to party supporters sent Wednesday evening, DeLorey linked the hack to recent high-profile information thefts.

"To our knowledge, the person or people responsible may have been linked to hacks on Sony, Nintendo, and PBS, and we will be reviewing our own practices and will make the necessary changes to prevent something like this happening in the future," DeLorey said.

LulzRaft denies that, saying the accusation is an attempt to excuse the party's "terrible security."

"This hack was nowhere near the same calibre. Even the most amateur security specialists should have picked up on the simple vulnerability we exploited," the hacker said in an email to CBC News.

A screen capture of the LulzRaft Twitter page on June 8, 2011. The group has claimed responsibility for embarassing hacks against the Conservatives this week.
LulzRaft revealed the breach earlier Wednesday, a day after hacking the Conservative party website and posting a fake story about Prime Minister Stephen Harper being rushed to hospital:

"The conservatives said no contributor data was accessed..I wonder where this sample came from then!," LulzRaft said via Twitter, linking to a page on the public text-sharing website Pastebin that listed names and email addresses under the heading "Donation Contributors – A Small Sample."

The list, which had disappeared from the site by midday, contained more than 5,600 entries, with some names repeated with different email addresses. Donation amounts were not listed.

The portion posted online was organized alphabetically, suggesting the full database that was breached could contain the personal information of tens of thousands of people.

LulzRaft defends actions

In an email message to the CBC, the anonymous LulzRaft said they deliberately released only a sample of what they obtained, and withheld other information such as addresses and passwords.

The emailer denied any malicious intent or political bias, insisting their objectives were to expose the weakness in the site, and perhaps advance the cause of "more freedom of speech/information online."

What is 'lulz'?

According to the internet culture site OhInternet.com, "lulz is laughter at someone else's expense," similar to the German concept of Schadenfreude.

The message called the breach  of the Conservative website "simply a hack of opportunity."

"We stumbled across the vulnerability. The other parties [sic] sites didn't appear vulnerable," the message said.

The information was posted online a day after DeLorey said Tuesday’s hack was limited only to the party website and did not affect the party’s vast database with personal information about the party’s members.

One database maintained by the Conservative Party, referred to as CIMS, for Constituency Information Management Systems, is a key element of the party's ability to fundraise and campaign effectively across Canada.

It contains detailed personal information collected by the party from not only party members and donors, but also more casual party supporters, as well as voters who may not support the party.

DeLorey's statement Wednesday indicated this was not the database that was hacked, and said most of the information that was published is readily available on the Elections Canada website.

Political donations in Canada are not necessarily private. Anyone who donates at least $200 to a political party has his or her name and the amount of the donation reported to Elections Canada, which in turn puts this information into a searchable database available through the agency's website.

Wednesday's breach involves email addresses, which are not collected by Elections Canada, and the list published by LulzRaft could contain the names of people who donated less than $200 and whose names wouldn't have been made public otherwise.

Conservative party 'disturbed' by hack

DeLorey said the party will be getting in touch with everyone whose data was taken.

"We are very disturbed by this hacking and will continue our internal investigation, as well as work with the authorities on this matter," he said.

DeLorey said the Conservative party is reviewing its practices and making the necessary changes to ensure its website is not hacked again.

In an email to CBC News, the Office of the Privacy Commissioner said it was not investigating the breach.

"Political parties aren't covered by federal privacy law; we're not in a position to investigate their personal information handling practices," a spokeswoman said.

An old email address belonging to former CBC technology columnist Tod Maffin is among those on the list.

Maffin told CBC News that five years ago he donated $5 to several different political parties while researching a feature for CBC Radio about the parties' online fundraising efforts. He believes this is the only reason this old email address could be on this list.

The LulzRaft Twitter account also posted a message Wednesday morning saying "the funny thing is, we had more trouble using the conservative party CMS [content management system] then we did hacking the site…literally."

Husky site also hacked

LulzRaft also tweeted a link Wednesday to Husky Energy's website, myhusky.ca, which displayed a message under the header "Conservative Appreciation Day," that referred to Tuesday's choking hoax.

"Due to yesterdays Harper hoax, we feel it is necessary to show conservatives that we care. So today, June 8, we will be providing free gas to all conservatives. Just use the coupon code 'hash-browns'," the message on myhusky.ca's front page said.

Graham White, a Husky spokesperson, was unaware of the apparent prank until contacted by CBC News, and confirmed it was a hack. "This is definitely not a Husky initiative," he said. The message was taken down minutes after he was alerted.

On Tuesday, a fake news release appeared on the website that said Prime Minister Stephen Harper had been rushed to hospital after choking on a hash brown at breakfast.

The Prime Minister’s Office quickly confirmed that it was a fake and that Harper was fine.

In addition to the fake "breakfast incident" report, a link at the bottom of the party's web page was altered to point to the LulzRaft Twitter account.

Passwords that appeared to be related to party website were posted under the LulzRaft account on Pastebin Tuesday as well.

The LulzRaft Twitter account bio makes reference to LulzSec, which in recent weeks has claimed responsibility for the hacking of sites and databases belonging to high-profile multinational corporations such as Honda and Sony, public broadcaster PBS and even the FBI.

It is unclear what relationship there is, if any, between LulzRaft and LulzSec.


  • An earlier version of this story said the Elections Canada threshold for donations to be reported on its website is $250. In fact, it is $200.
    Jun 08, 2011 5:01 PM ET