Ireland’s Data Protection Commissioner Helen Dixon announced that she would investigate a major data breach incident suffered by media company Independent News and Media after it came to light that thousands of emails stored by the company were removed from its servers in late 2014.
Back in March, the Office of the Director of Corporate Enforcement in Ireland announced that confidential details of personnel as well as IT systems’ back-up tapes at news company Independent News and Media were moved out of the company’s premises in October 2014.
During the course of its investigation, ODCE came across a list of 19 names in an Excel document that was attached to emails exchanged by people who were not employees of Independent News and Media. While four of them were journalists, the rest included senior barristers and former directors and executives at Independent News and Media.
The list of emails and documents removed from INM’s servers in 2014 included nearly 40,000 emails of former CEO Joe Webb. Once it was made aware of the breach, the company immediately informed the Data Protection Commissioner’s office and the latter has promised to investigate the same. Earlier, the National Union of Journalists had also called for the Data Protection Commissioner to investigate the breach.
In an application to the High Court, Ian Drennan, the director of ODCE, said that external firms were also able to access emails and documents belonging to several former directors, journalists and other staff at Independent News and Media. He added that his office was told by former INM chairman Leslie Buckley that the data collection and interrogation was carried out with the help of Special Security Services Limited as a “cost saving exercise”.
“According to Mr Drennan, Mr Buckley explained that the data interrogation was part of a “cost-reduction exercise”. Mr Buckley told the ODCE he authorised the work so he could find out more detail about the awarding by INM of a professional services contract. He wanted to consider whether the cost and duration of the contract could be renegotiated,” said the Irish Independent.
According to various reports, none of the board members at INM were aware of the data collection and interrogation contract which was awarded by Mr. Buckley to Special Security Services Limited. It was only after the board was informed of the same by the ODCE in August last year that they realised the true impact of the breach.
Another reason why the board was unaware of the breach was that after Special Security Services Limited raised invoices worth around €60,000 for carrying out data collection and interrogation, the bills were paid not by INM itself but by Isle of Man-based Blaydon Limited whose owner Denis O’Brien is considered a long-term associate of Mr. Buckley.
While it remains to be seen how many people were associated with the breach and if data obtained by external parties were misused for various purposes, the scale of the breach, where a chairman signed off a data collection contract without the knowledge of the board and where the breach stayed hidden for three years, signals that firms across the UK have a lot of catching up to do when it comes to securing enterprise data and ensuring such data is not accessed by third parties without stringent controls in place.