GAA data theft 'unlikely to lead to identity fraud'

B ACKGROUND:Data leak allegedly came from a man who held a grudge against the Belfast-based database firm

THE THEFT of the GAA’s membership database is unlikely to lead to identity theft, the Office of the Data Protection Commissioner has said.

The database contains the names, addresses, phone numbers, e-mail addresses and, in a small number of cases, the medical records of every single member of the GAA.

The theft is now the subject of a criminal investigation by the PSNI who have already arrested a man and released him on police bail without charge.

Sources close to the investigation say the security leak came from a man with a grudge against Servasport Ltd, the Belfast-based company that was maintaining the database on behalf of the association.

A statement from the company said the PSNI were making “good progress” with the investigation and they were confident “no misuse of the information” had taken place.

The company also apologised to the GAA and its members.

Data Protection assistant commissioner Diarmuid Hallinan said from what they knew of the investigation, the information that was stolen was not subsequently used for criminal purposes.

He said the absence of financial information or personal password details from the files that were stolen would make it highly unlikely that it could be used to access somebody’s bank account.

“It is not impossible, but our view is that this would be best used indirectly to gain access to information,” he explained.

The commissioner has advised GAA members to be cautious in not disclosing any more information if they receive unsolicited contacts through the post, over the phone or through e-mail that refer to their association membership.

Information security consultant Brian Honan said the information on its own was “low risk”, but he would be concerned that personal medical information could be misused if it fell into the wrong hands.

The data is compiled by every GAA club and collated centrally to aid the registration of players who move from club to club.

Ex-GAA president Nickey Brennan, who is the chair of the association’s IT committee, said they had employed consultants Deloitte to look at Servasport and other suppliers of IT to the association.

He moved to reassure members that the database was not hacked by any sectarian element inimical to the GAA as many members in the North would be sensitive about their addresses being public knowledge. He described the motivations of the person involved as “interesting” given that it was still a mystery why copies of the database were sent to the data information commissioners north and south of the Border and to the Gaelic Players Association (GPA).

“Trying to understand the psyche of the individual is something that is exercising people’s minds at the moment. We are hoping that a subsequent investigation by the police will get to the bottom of it,” he said.

The players association handed over the tape to GAA headquarters on November 19th and the information was not disclosed until yesterday at the request of the police service.

GPA spokesman Seán Potts said: “We’re aware of the seriousness of the matter and we’re satisfied that the authorities are dealing with it properly.”

Mr Potts said they had “no idea whatsoever” why the GPA was sent the database. “As far as we are concerned we received a disk and we passed it on to the authorities immediately.”

One GAA club secretary and coach, who did not wish to be named, said the hacker had done the association a favour by exposing its lax security protocols.

“I’m dismayed. Not having this information encrypted properly is unforgivable, I’m absolutely livid,” he said.

He went on to say that though the GAA has a policy that the mobile phone numbers or e-mail details of minors under the age of 18 should not be stored, in reality they are often collated by club secretaries.

The association has written to the 544 members who have had their medical conditions detailed on the database. They have also set up a helpline for those who are concerned about the information contained on the database. The number is 1890 987 807 for the Republic and 0800 0114787 for Northern Ireland.

THE DATA: NAMES AND NUMBERS:

501,786

names and addresses of members

288,511

dates of birth

107,212

mobile numbers

63,695

landline numbers

30,171

e-mail addresses

167,157

of the members on the database are under 18

544

the database contains medical information about 544 players