Data breached at Independent News & Media (INM) in 2014 may have contained a "significant volume" of information obtained by journalists, including data identifying sources, an unpublished report by the State's privacy watchdog has found.
The report by the Data Protection Commission (DPC) found that the information accessed during a "data security incident" in late 2014 may have included "sensitive personal data" and "confidential information including information identifying or provided by confidential journalistic sources, or investigative material not intended for publication".
The watchdog’s report, completed in February but not disclosed publicly until now, said that the “unauthorised or unlawful disclosure” of sensitive information at the centre of the 2014 data breach “could have, or could have had, serious implications for the rights of data subjects”.
In February the DPC found that INM – now known as Mediahuis Ireland following a change in ownership in 2019 – breached data privacy law when emails and other records relating to staff, journalists and executives were removed and searched outside the State by IT contractors.
No legal basis
The regulator said there was no legal basis for the searching of the data and that security around processing of the information did not comply with data protections.
The report – seen by The Irish Times – supporting those findings was not published as the DPC said it fell under older legislation that predated its powers to publish.
The 2014 breach, which emerged from disclosures by two internal whistleblowers, led to an investigation by the State's corporate law watchdog, the appointment of two High Court inspectors and a series of court actions by people whose data appears to have been affected.
The company's chairman at the time, Leslie Buckley, who stood down in 2018, claimed that the purpose of the data search was for a cost-cutting exercise within the business.
He kept businessman Denis O’Brien, then a shareholder in INM, informed about the search.
The cost of the search by contractors – Dublin firms DMZ IT and Specialist Security Services and Wales-based Trusted Data Solutions UK – was borne by one of Mr O’Brien’s companies.
The DPC report said personal data at the centre of the 2014 “data security incident” may have contained “a significant volume of information obtained, communicated or created by the INM staff members in the context of journalistic activities carried out on behalf of INM”.
This was a “matter of particular concern,” the DPC said, given INM’s business as a news publisher and because it acknowledged that the data may have contained emails to, from and about people internally and externally and documents written by staff such as journalists.
The regulator disclosed that four mailboxes of people who had worked at INM were restored by the outside contractors during work between late 2014 and early 2015.
Only three of the four were people who appeared on a previously disclosed list of 19 individuals who were targets of data searches. The “INM 19” list included former INM executives, journalists, public relations executives and two lawyers who worked for a tribunal which investigated some of Mr O’Brien’s business affairs.
The company told the regulator that it was “not possible” to quantify the number of people affected by the data breach as the company’s servers and related back-up IT tapes in October 2014 – the date of the breach – contained “all employees/contributors/third-party vendors/service providers, consultants and others whose names/email addresses are contained on the server”.
INM said that the information could have included “sensitive personal data”. The DPC said that it was a “significant concern” that INM could not provide specific detail on the data affected.
The DPC found it “particularly concerning” that INM allowed data processing “in the absence of very substantial guarantees as to the continued security and confidentiality of the data”.
‘Loss of control’
The fact that at the most fundamental level of data protection compliance INM could not confirm definitively all of the parties who accessed the data – and whether they deleted it – shows “a substantial loss of control by INM over the personal data for which it was the controller”, the regulator said.
Deficiencies in organisational measures and internal governance protocols that could allow the processing of large volumes of personal data including confidential journalistic and investigative material, with significant implications if disclosed, were “particularly concerning”, the DPC said.
“For a data controller not to know whether it holds sensitive personal data in the first place is indicative of systemic deficiencies in its approach to data protection,” said the commission.
The fact that INM could not confirm definitively to the DPC whether the affected data was sensitive personal data “indicates an alarming lack of awareness by INM around its own collection, processing, keeping, use and (likely) disclosure of personal data,” the regulator said.
INM, which was taken over by Belgian media group Mediahuis in 2019, said in February that it has already implemented recommendations made by the DPC in its report and would be incorporating more.