Independent News & Media (INM) should have known last year that an apparent breach it reported to the Data Protection Commissioner (DPC) involved "highly sensitive" information including journalists' sources, according to the Director of Corporate Enforcement Ian Drennan.
In an affidavit to the High Court, Mr Drennan said that the scale of the data event at INM was "downplayed" in a voluntary report the media group made to the DPC, Helen Dixon, in August 2017.
Mr Drennan’s office has been investigating a number of matters including an apparent data breach at INM, and is seeking the appointment of High Court inspectors to INM. The application is to be heard next Monday.
In its voluntary communication to the DPC on August 24th, 2017, INM said it wished to notify the office of a “security incident” that “may have placed personal data at risk”, according to the affidavit. Based on what it was told, the DPC decided there had been no breach.
It was difficult to see how INM could 'legitimately downplay' the issue to being one that 'may' have put personal data at risk
According to Mr Drennan, data from the INM servers was accessed or “interrogated” by six companies and a number of individuals in October 2014.
Bills arising from this process were paid by a company, Blaydon Ltd, which is owned by the largest shareholder in INM, businessman Denis O’Brien.
The removal of the INM back-up tapes for its computer system, which is referred to by Mr Drennan as the "data interrogation", was directed by the then chairman of INM, Leslie Buckley, who was Mr O'Brien's nominee on the INM board, Mr Drennan said.
Under the heading “misstatement of the gravity of the data interrogation”, Mr Drennan said that in view of the information available to INM in August 2017, it was difficult to see how INM could “legitimately downplay” the issue to being one that “may” have put personal data at risk.
INM is expected to address staff later this week about their concerns as to what happened with data
“Rather, it would have been clear that the contents of INM’s IT systems and back-up tapes respectively would have included personal data (as well as other highly sensitive data such as, for example, journalists’ communications with sources).”
INM has told the ODCE that its board did not know in 2014 that its data was being given to UK company Trusted Data Solutions and others.
In the wake of the filing of Mr Drennan’s affidavit, INM made a second disclosure to the DPC, which has since announced it is going to conduct an inquiry.
INM is expected to address staff later this week about their concerns as to what happened with data at INM, and the board is understood to be taking legal advice on what actions it should take.
Mr Buckley has said the data was given to third parties as part of a cost-reduction exercise.
In his affidavit Mr Drennan said there remain “significant concerns” as to the precise purpose of the data interrogation.
He also noted that in its report to the DPC, INM made no mention of John Henry, a security specialist, who is one of the people Mr Drennan believes "interrogated" the INM data.
Mr Buckley has said he will “robustly defend” himself against all allegations . A spokeswoman for INM said it could not comment for legal reasons. Mr O’Brien has yet to comment on the INM controversy. The man who answered Mr Henry’s phone hung up when told the purpose of the call.