Sensitive private information relating to divorce proceedings, children's welfare and the personal finances of the former chief executive officer of Independent News and Media (INM) were among thousands of emails hacked by individuals paid by a company owned by Denis O'Brien, according to a document lodged this week in the High Court.
It is also claimed that the hacking, a major data breach investigated by the Office of the Director of Corporate Enforcement (ODCE), at whose request the High Court appointed inspectors who are now inside INM, involved a search for journalists’ sources.
The new document served on INM along with a summons is the statement of claim in a legal action against INM taken by the company's former chief executive Gavin O'Reilly, and another former executive Karl Brophy. Mr O'Reilly and Mr Brophy, both long-term critics of Mr O'Brien, run Red Flag Consulting, a public relations company that, separately, Mr O'Brien has been suing since October 2015.
Speaking this week, Mr O’Reilly said that when he learned recently which of his emails had been compromised by the hacking, he felt “sick and disgusted”.
Legally privileged emails
According to Mr O'Reilly, the hacked material included between 300 and 400 legally privileged emails between him and his lawyer, Simon McAleese. The emails relate to Mr O'Reilly's separation in 2004, and subsequent divorce two years later, from his then wife, Alison Doody. Among other things, the emails detail their personal affairs, the well-being of their children and the family finances.
Apart from being legally privileged, much of the correspondence related to matters that, under family law restrictions, were part of proceedings held in camera.
“The entire family law file that I have [among my emails] was subject to the hack,” Mr O’Reilly told The Irish Times in an interview this week. “This is a gross invasion of my, my former wife’s and our children’s privacy and I find it sickening.”
Mr O’Reilly recently received approximately 20,000 documents from INM on foot of a general data protection regulation (GDPR) access request which allows individuals obtain copies of information that companies hold on them.
The breach of data at INM began in October 2014. The company originally maintained in the High Court that it ended in December of that year but it has recently informed those affected that it may have continued for a further year, until December 2015.
Millions of emails and other files – stretching back to the 1990s, according to the ODCE – are believed to have been compromised, indicating a potential for perhaps hundreds of privacy and compensation legal actions against INM.
The hacking was started in 2014 on the instructions of the then chairman of the company, the Denis O'Brien appointee Leslie Buckley, who ordered that access to the company's IT server and its back-up tapes be given to external agents.
As a result, the contents of the server were taken out of Ireland, given to an external digital forensic examiner, copied and then searched by at least one further third party.
Nineteen individuals were targeted in the search, including Mr O'Reilly, his personal assistant, Mandy Scott, and Mr Brophy, as well as the INM defamation solicitor, Simon McAleese (who was also Mr O'Reilly's personal solicitor), several other INM executives and journalists, including Sam Smyth who is understood now also to be preparing to sue the company, and two senior lawyers who worked for the Moriarty tribunal, whose negative findings against him Mr O'Brien has long disputed.
In recent correspondence with some of those affected, INM has agreed with their observation that while the people targeted in the hacking “‘may be regarded as having acted adversely to Mr O’Brien’, INM at present has no clarity or further information in relation to the true purpose of the data interrogation”.
INM originally maintained in court, when it was attempting to resist the appointment of High Court inspectors, that the hacking was carried out to examine a contract for the provision of legal services to the company by Mr McAleese.
However, last month INM wrote to some of those affected by the hacking and revealed that a recently completed investigation, carried out for the company by consultants Deloitte, "found the purpose of the data interrogation was for a purpose other than seeking details regarding the terms and value for money of a particular long-term contract for legal services".
Robert Pitt, the former INM chief executive who made a protected disclosure to the ODCE, told the Director of Corporate Enforcement and the INM board that he had been informed that the "data of interest" was specifically that belonging to Gavin O'Reilly, Simon McAleese and Karl Brophy.
Shared and searched
The companies with which the data was shared and searched included, in the first instance, DMZ IT Limited, but subsequently others, some of them outside the jurisdiction, were also given the data. They included the New York headquartered company Trusted Data Solutions (TDS).
The statement of claim is lengthy, running to 50 paragraphs, some with multiple subsections, across seven headings, and detailed.
“The data breach was conducted with the authorisation and under the instruction of Mr Buckley” on behalf of INM, it asserts.
Others include Derek Mizak of DMZ and a John Henry of Specialist Security Services who, it is claimed, "had a significant role" in the hacking.
Mr Henry's son, Shane Henry, is also identified. He is chief executive of Reconnaissance Group Limited "an international provider of security services", says the statement of claim.
It continues: “Specialist Security Services Limited and Reconnaissance Group Limited are connected entities. Mr John Henry was previously a shareholder in Reconnaissance Group Limited . . .
"Reconnaissance Group Limited has previously engaged commercially with Digicel, a telecommunications company founded by Mr O'Brien, of which Mr Buckley is vice-chairman. Reconnaissance Group Limited and Digicel share the same corporate address in Haiti, where both companies have operations."
There is reference to a Keith Duggan, a director of Resilient Defence Limited, of which Mr Mizak was also a director, and which is a subsidiary of Reconnaissance Group Limited.
Another person named is Robert Breen, chief operations officer at TDS.
“Each of these third parties participated in the data breach,” says the statement of claim.
According to the ODCE and the statement of claim by Mr O’Reilly and Mr Brophy, the invoiced cost of TDS’s work was met by an Isle of Man-based Denis O’Brien company. At the time, Mr O’Brien was INM’s largest and controlling shareholder. He has since sold his holding to Mediahuis, the Belgian/Dutch company that now owns INM outright.
"The said invoice was discharged by Blaydon Limited," says the O'Reilly/Brophy statement of claim. "Blaydon Limited is a company registered in the Isle of Man and is beneficially owned by Denis O'Brien."
In a judgment appointing High Court inspectors to INM last September, the President of the High Court, Judge Peter Kelly, said that the "rights and entitlements" of Gavin O'Reilly, Karl Brophy and the others affected "may have been transgressed in a most serious way" by the hacking.
Mr O'Reilly and Mr Brophy are suing INM for alleged breach of their constitutional right to privacy, breach of the Data Protection Act, conspiracy and breaching their fundamental rights under the European Union.
Mr Buckley, who resigned in March 2018 and is being sued separately by INM, has denied any wrongdoing. He has asserted that the data interrogation was part of an alleged “cost cutting” exercise, a view not accepted by the ODCE or, now, by INM.
The Data Protection Commissioner, Helen Dixon, is carrying out her own, separate, investigation into the hacking.
A spokesman for Denis O’Brien was approached for comment, but has not responded.