The political fund that has raised more than $50 million to support Mitt Romney’s bid for the presidency has been collecting money online with a system so insecure that it exposes donors’ credit card information to even casual snoopers.
Computer-security specialists say that using such low-tech systems can violate laws and that the group should notify anyone who has donated.
Restore Our Future, the super PAC helmed by former top Romney campaign officials that runs ads attacking the former Massachusetts governor’s opponents, has for months been accepting credit card information without any type of security, leaving the card numbers easily accessible.
“Quite frankly, the lack of credit card data protection on the site is unconscionable, and there is no excuse for it,” said Diana Kelley, an analyst at the technology firm SecurityCurve, which reviewed the site. “They should stop taking card data until the problem is remediated and should notify their donors that their card numbers were at risk and may have been compromised.”
The lack of basic, standard methods for dealing with personal information means anyone on the same wireless network could effortlessly record a donor’s credit card number as it is submitted. The numbers also could be stored in the browser, and people could later use the publicly available donor lists to target contributors with a solicitation that would unknowingly cause the information to be sent to them.
It also could indicate deeper problems that could jeopardize the financial information of some of the wealthiest men in America, technologists said.
“This is pretty bad. It’s very unprofessional. And if a developer doesn’t know how to provide SSL security, it’s probably a safe bet that his server isn’t storing donors’ credit card information in a secure way, either. You’d be a fool to donate money through this form,” said Tom Lee, a computer programmer at the Sunlight Foundation, which studies money in politics.
SSL security is a protocol known as “secure socket layer” for encrypting information over the Internet.
Told of the security hole Wednesday, Restore Our Future spokeswoman Brittany Gross did not express concern and would not say how many have given to the campaign via credit cards.
Late Thursday, Restore Our Future issued a written statement saying: “Because we will be targeted by hackers based on your story, we made the switchover today.” It added a secured donation page and left the old one intact. Ms. Gross did not say that the group would notify those affected.
The surprisingly amateur digital public face of the group that has had an enormous influence on the presidential campaign is telling about the nature of super PACs. While the presidential candidates bombard email lists with daily pleas for donations, the idea that a casual Romney supporter might be stirred to send money to the PAC seemed almost an afterthought.
Its donors are largely wealthy Romney supporters who have behind-the-scenes connections with political operatives. The super PACS can support a candidate as long as they do not coordinate with his official campaign.
The lack of a polished presence on the Web — its main pro-Romney pitch is titled “sample-page” — highlights broader absences. The super PAC has no office or phone number. No staffers appear on its payroll. A money machine for television ads, it deals in the millions of dollars with almost no organizational presence and often pays it out not to the actual recipient of the money, but to corporations designed as conduits.
For his efforts in wooing donors, former Romney aide Steve C. Roche recently paid himself an $800,000 “fundraising commission” — through a payment to “Podium Capital Group” at a post office box.
The maker of the super PAC’s website says it will create similar sites in as little as one day and for as little as $500, but disclosures in which political committees must detail how they spend their money also list no payments to that company.
Ms. Gross would not discuss the super PAC’s fundraising methods or operations.
“We do not comment on our vendors,” she said.
As of April 1, a total of 533 people and companies had donated to Restore Our Future. Ninety of them gave $500 or less, with a median gift of $25,000, an option the website provides.
The fund is, by and large, a destination for exceedingly large donations; 149 contributors have given $100,000 or more. Several have gone so far as to establish limited-liability corporations to transfer money to the super PAC in an attempt to hide their identities. It is unlikely that such donors would make their political gifts using credit cards.
The failure to institute basic security violates industry standards, which could cause credit card companies to levy fees, fines and increased rates on a violator, potentially costing it hundreds of thousands of dollars, Ms. Kelley said.
Lawyers said there is also potential legal exposure in the form of fines payable to the state; risk of civil lawsuits by donors; and legal requirements to notify those affected, the specifics of which vary because regulations depend on the state where a donor resides.
“Most states have data-breach statutes that have a definition of breach of security, meaning the reasonable belief of unauthorized acquisition,” said David J. Shannon, a Philadelphia-based data-security lawyer.
In other states, “attorneys general will assess a penalty. There wouldn’t have to be actual harm for that,” he said.
Melanie Sloan, executive director of the watchdog group Citizens for Responsibility and Ethics in Washington, said the shadowy nature of the super PAC was apparent.
“How can any business that size not have a phone? Most businesses generating $50 million in revenue want a website so people can learn about the organization … but this has been intended to be as hidden from public view as possible,” she said.
“The fact that this could happen shows that they had no expectation that regular people might give,” she said, “but some did, and it shows an utter disregard for those donors. If anything says, ‘We only care about our richest donors,’ this does.”