Updated at 9.50pm
AS MORE DETAILS emerge about an alleged data breach at Independent News and Media, there are more questions than answers about the scale of this developing saga.
It was revealed this week that the group’s IT system back-up tapes may have been removed from its premises. It is alleged that data, including the names of a number of journalists who worked for the company, was searched by a third party company called Trusted Data Solutions.
The Office of the Director of Corporate Enforcement (ODCE) – the State’s corporate governance watchdog – has applied to the High Court to appoint inspectors to investigate corporate governance at the media group.
According to the Sunday Independent, the ODCE’s director Ian Drennan alleged in an affidavit that the data interrogation by the external company was directed by the then chairman of INM, Leslie Buckley, who stepped down last month.
Text messages sent to Buckley, published in the Irish Independent today, reveal almost 40,000 emails of Joe Webb, former INM Ireland chief executive, may have been sourced during this alleged data interrogation. These emails reportedly go back as far as 1999.
Webb’s name was among 19 on a ‘persons of interest’ list discovered by the ODCE during its investigation into the suspected breach. Also on this list are the names of a number of journalists including Brendan O’Connor, Maeve Sheehan and Sam Smyth.
It is suspected this list was provided to pinpoint emails sent to and from particular individuals, though the list contains no context or indication of its purpose.
Now questions are being asked about the potential scale of this scandal if emails of INM staff as far back as 1999 were handed over to a third party to be searched through.
This evening a meeting was held with editors and department heads at INM headquarters to reassure staff in the wake of the alleged data breach, according to RTE.
They were reportedly told that newspapers and online operations are separate to boardroom and governance issues and were asked to brief and reassure their teams.
The text messages published in today’s Irish Independent were sent to Buckley by a John Henry, who the ODCE believes ran the alleged interrogation of INM’s IT back-up tapes. These back-up tapes would have contained an archive of the group’s emails.
“Just looking at JW archive mailbox with mails going back to 1999!!!! Yuppiee!!!,” wrote Henry in a text message sent to Buckley on 13 October, 2014, the ODCE’s affidavit claims.
It is believed the JW in this message refers to former INM Ireland chief executive Joe Webb.
Another text from Henry to Buckley later the same day reportedly read: “Will have 39,354 jw emails. Making some progress. Have solution to get stuff out as well. Got tapes. Talk later.”
And a message allegedly sent by Henry to Buckley on 2 March 2015 stated: “Hi Leslie. Could we discuss Webb. May have something. Talk face to face rather than phone.”
This is the first indication of the potential scale of the reported data interrogation, with the mention of almost 40,000 emails for just one of the 19 people on the list.
It is reported that the ODCE has said one of the reasons given for the data search by Buckley was that a contract with a service provider could not be found. It is unclear why searches of the emails of all 19 on the list by an external company may have been required to find this contract.
There were already concerns when this story first broke about the implications of journalists’ emails being accessed. Today the Press Ombudsman said it undermines “the very core” of investigative journalism in that it “endangers the confidentiality” that a journalist may guarantee someone.
Today commentators pointed out that even people who are not connected to the media group may be impacted by the breach.
Speaking to TheJournal.ie, journalist Gavin Sheridan said: “If it’s the case that nearly 40,000 emails related to former INM chief executive Joe Webb were identified – going back to 1999 – then by extrapolation if a similar number were also available related to the other 18 individuals then upwards of 800,000 emails or more could be at issue in relation to this specific query alone.”
If all INM emails were being trawled or queried, then the total number of emails at issue would run into millions. What should be made clear by INM is the volume of emails copied or taken offsite, and the purpose of that exercise. Were only the named individuals affected by queries, or were broader queries carried out?
Sheridan explained what sort of information could potentially be gleaned from the email data:
Queries like the ones performed allow someone to extract all emails between any two or more email addresses between any given dates, or all emails containing certain keywords or key phrases.
“We don’t yet know the detail from the ODCE on the extent of queries that are alleged to have taken place.”
TheJournal.ie put a number of questions to INM in relation to the number of emails and individuals potentially impacted by this alleged breach. We also asked if there was a contingency plan in place to contact anyone affected by it.
A spokesperson said INM had no comment to make regarding TheJournal.ie‘s questions.
To embed this post, copy the code below on your site
have your say