The political fund that has raised more than $50 million to support Mitt Romney’s bid for the presidency has been collecting money online with a system so insecure that it exposes donors’ credit card information to even casual snoopers.
Computer-security specialists say that using such low-tech systems can violate laws and that the group should notify anyone who has donated.
Restore Our Future, the super PAC helmed by former top Romney campaign officials that runs ads attacking the former Massachusetts governor’s opponents, has for months been accepting credit card information without any type of security, leaving the card numbers easily accessible.
“Quite frankly, the lack of credit card data protection on the site is unconscionable, and there is no excuse for it,” said Diana Kelley, an analyst at the technology firm SecurityCurve, which reviewed the site. “They should stop taking card data until the problem is remediated and should notify their donors that their card numbers were at risk and may have been compromised.”
The lack of basic, standard methods for dealing with personal information means anyone on the same wireless network could effortlessly record a donor’s credit card number as it is submitted. The numbers also could be stored in the browser, and people could later use the publicly available donor lists to target contributors with a solicitation that would unknowingly cause the information to be sent to them.
It also could indicate deeper problems that could jeopardize the financial information of some of the wealthiest men in America, technologists said.
“This is pretty bad. It’s very unprofessional. And if a developer doesn’t know how to provide SSL security, it’s probably a safe bet that his server isn’t storing donors’ credit card information in a secure way, either. You’d be a fool to donate money through this form,” said Tom Lee, a computer programmer at the Sunlight Foundation, which studies money in politics.
SSL security is a protocol known as “secure socket layer” for encrypting information over the Internet.
Told of the security hole Wednesday, Restore Our Future spokeswoman Brittany Gross did not express concern and would not say how many have given to the campaign via credit cards.
Late Thursday, Restore Our Future issued a written statement saying: “Because we will be targeted by hackers based on your story, we made the switchover today.” It added a secured donation page and left the old one intact. Ms. Gross did not say that the group would notify those affected.
The surprisingly amateur digital public face of the group that has had an enormous influence on the presidential campaign is telling about the nature of super PACs. While the presidential candidates bombard email lists with daily pleas for donations, the idea that a casual Romney supporter might be stirred to send money to the PAC seemed almost an afterthought.
Its donors are largely wealthy Romney supporters who have behind-the-scenes connections with political operatives. The super PACS can support a candidate as long as they do not coordinate with his official campaign.
The lack of a polished presence on the Web — its main pro-Romney pitch is titled “sample-page” — highlights broader absences. The super PAC has no office or phone number. No staffers appear on its payroll. A money machine for television ads, it deals in the millions of dollars with almost no organizational presence and often pays it out not to the actual recipient of the money, but to corporations designed as conduits.
For his efforts in wooing donors, former Romney aide Steve C. Roche recently paid himself an $800,000 “fundraising commission” — through a payment to “Podium Capital Group” at a post office box.
The maker of the super PAC’s website says it will create similar sites in as little as one day and for as little as $500, but disclosures in which political committees must detail how they spend their money also list no payments to that company.