Democrat Martha Robertson, the Emily’s List-backed, “Red to Blue” challenger in NY-23 just can’t seem to escape local news coverage of her apparently false fundraising claim that GOP operatives were “caught” trying to take down her website during a critical fundraising period.

Martha Robertson fundraising email partial

Legal Insurrection broke the story in early October 2013, and we have followed the details since then:

The latest bad publicity for Robertson regards her response to a complaint filed with the NY State Board of Elections, as reported by WETM:

The controversy over an e-mail sent by Martha Roberton’s campaign to supporters last September continues. Now, the National Republican Congressional Committee is getting involved.

The NRCC is asking the Martha Robertson campaign to release all correspondence related to the e-mail her campaign sent to supporters on September 30th, 2013. The NRCC is looking for correspondence that is not protected by attorney-client privilege.

In that September e-mail, the Robertson campaign claimed that “GOP ops” had hacked their website right before the end of the third quarter fundraising deadline. The Robertson campaign provided proof of their hacking claims in October of 2013, but decided not to hire an outside firm to investigate, despite previously saying they would.

In a letter sent by the Robertson campaign to the NY State Board of Elections, Robertson repeats her claim that there were attacks on the website but no longer claims that it has any proof whatsoever that the GOP was involved, much less that GOP operatives were “caught” (emphasis added):

The fact of the matter is that on September 30th, 2013, the Martha Robertson for Congress campaign’s website was hacked. We received 9 SQL injection attacks into the stored data section of our website in a very short period of time. Since our website is not an “e-commerce” site like Amazon or Target, it is very uncommon to receive these kinds of attacks.

Additionally, our website was attacked on the most important finance deadline of the campaign at that time. While the attack could have come from a random source, the timing suggested otherwise. Please see the link attached that highlights when Nate Shinagawa proved the occurrence of an attack on our website: http://www.mytwintie rs .com/story/robertson-campaign-responds-to-email-allegations/d/story/8yWULhc1MkK9Wjuf73biXA. My Twin Tiers reported that ” … as WENY news reported on Oct. 11th of last year, the Robertson campaign did indeed show the news reporter evidence that an attempted hacking did in fact occur”.

This explanation is highly misleading. The “evidence” the Robertson campaign showed to the reporter did not prove anything other than, at most, routine server issues. (The story video is here, the link in Robertson’s letter appears dead; we quoted the story here .)  Legal Insurrection’s technical consultant, Andy LoCascio, explained at the time that the Robertson campaign’s explanation to the reporter did not make a lot of sense:

While it certainly would be possible that an SQL injection could stop all or part of a website from functioning, it is easy to detect and fix. The IP addresses in the server log can be traced back to the source of the attack. For such an attack to be effective, the site would need to be poorly configured or maintained. These attacks and similar attempts to hack into sites are routine. A review of the entire server log would find dozens of attempts to access the content. If someone really wanted to take the site down, they would have arranged for a DDOS (distributed denial of service) attack. This really appears to be an opportune use of a common server issue.

The Robertson campaign has not responded to Legal Insurrection’s request for a copy of the server logs to verify the campaign’s explanation.

After the latest claim by Robertson’s campaign that the attack was suspicious because not directed at an ecommerce website, LoCascio scoffed at such an explanation:

SQL injections are the single most common form of “hacking” into a website. Hackers are typically not trying to steal sensitive information. They simply want to gain control of the application or the host server for use in distributing malware to unsuspecting visitors or sending bulk emails (spam). ALL websites are continually being probed for weakness and those that are poorly protected are eventually compromised (in a variety of ways). These attempted incursions are typically quite broad and are almost always automated. Most e-commerce sites are fairly well protected and carefully monitored. This actually makes them a poor target for SQL injections. Non-ecommerce sites are actually a much better target and are compromised much more often.

What do we know as of this date?

The Martha Robertson campaign made a fundraising claim that GOP operatives were “caught” trying to take her website down. That was a false statement.