A major Irish news publisher is facing two investigations into an alleged breach of journalists’ data that could mean confidential information from their emails, including the names of sources, was seen by third parties.
Independent News and Media, which owns seven national titles, including the Irish Independent, Sunday Independent and the Belfast Telegraph, has said it is conducting an internal investigation into the data security incident, which took place in 2014 but only recently came to light.
The Office of the Data Protection Commissioner in Ireland (responsible for upholding citizens’ data rights) is gathering evidence ahead of launching its own investigation, with which INM has said it is “co-operating fully”.
It also faces a probe by Ireland’s corporate watchdog, the Office of the Director of Corporate Enforcement, which has applied to the High Court to have an inspector appointed to examine the company.
The case is due before High Court president Peter Kelly this afternoon.
INM, which also publishes 13 weekly regional newspapers in Ireland, has developed a new newsroom governance code on data handling as a result of the possible breach.
According to an affidavit filed at the High Court, details from which were published in INM’s own Sunday Independent this month, the alleged breach centres around the company’s IT system back-up tapes being removed from its Dublin premises and “interrogated” (searching and obtaining data) by at least six external companies.
There are fears the email communications of several journalists, including Sunday Independent deputy editor Brendan O’Connor, were accessed outside of the organisation.
The affidavit mentions 19 “persons of interest” whose personal information may have been seen when their names were searched within the database.
INM has said the data was provided to a third party service provider under instruction from then-chairman Leslie Buckley, who stepped down from his role last month.
He has said he will “robustly defend” every allegation against him.
INM first told the DPC about a possible data breach in August 2017, and provided “significant additional detail” on 26 March after the ODCE’s court application was launched three days earlier.
A spokesperson for the DPC described the issue as a “possible data breach” and said a contact point had been arranged with INM so individuals fearing they had been affected can “get answers”.
A statement released by INM last week said there had been a data security incident in 2014 which means “personal data held on INM’s servers as at 2014 may have been put at risk of unauthorised disclosure”.
The statement added that data may have been searched “more extensively” than first thought.
“The data security incident involved a number of INM’s back-up tapes, containing back-up copies of electronic data stored on INM’s servers as at 2014, being provided to a third party service provider on the instructions of the then-chairman of INM.
“The INM board only became aware of this incident in August 2017 and promptly notified the Data Protection Commissioner on learning of the matter at that time.
“Prior to receiving the court papers from the ODCE in March 2018 in respect of the court application, INM’s understanding from the persons directly involved in this exercise was that the data recorded on these back-up tapes was restored and searched for the specific purpose of seeking details regarding the terms and value for money of a particular long-term contract for professional services between INM and a service supplier.
“INM has now seen documentation in the context of the ODCE court application which suggests that the data may have been restored and searched more extensively and for a different purpose.
“INM does not know whether any such searches were in fact undertaken or for what purpose but based on the limited information currently available to INM it seems possible that they were. INM also does not know to whom any results of any such searches might have been provided.”
According to the Irish Independent, INM chief executive Michael Doorly told staff he believed the back-up tapes, which were later returned, contained emails but not human resources or payroll information.
Doorly also said the jobs of 815 staff at the company’s Dublin headquarters were not at risk, although it will be a costly exercise if inspectors are appointed.
On Friday, journalists at INM’s Irish Independent reported that editor-in-chief Stephen Rae told staff new measures were being put in place to introduce an updated newsroom data governance code, created in collaboration with the National Union of Journalists.
This would mean a new “triple-lock” process in which approval will be needed from three senior individuals if any editorial employee’s data is to be accessed by the company.
In his email to staff, Rae said: “It is a testimony to the integrity and ethos in our newsroom that the concern foremost in the minds of journalists over the past number of days has been the protection of our sources and the integrity of our systems for internal and external providers.
“For journalists there can be no more fundamental requirement to carry out our job in an efficient and effective manner than the protection of our sources.
“Therefore, over the course of the past week, I together with members of the senior editorial and management team have been working hard to examine what further measures can be put in place to ensure that the information/data that you receive and create through the IT systems is safe and secure.”
Séamus Dooley, NUJ Irish Secretary, welcomed the news that the DPC will launch an investigation.
“INM employees require a detailed explanation as to how and why the alleged breaches occurred,” he said in a statement.
“The long term interests of workers and of INM are best served by an open and transparent process.
“Journalists at Independent House had a right to work without their data being put at risk.
“The current chair and board must give unambiguous support to the editorial staff and commit to the principle that editorial independence will not be compromised by internal or external commercial or corporate interests.”
Dooley previously expressed particular concern about the threat to the confidentiality of journalistic sources.
“INM journalists will be worried about the suggestion that at least six companies external to their employer had access to INM data,” he said.
“Clear lines appear to have been crossed and it is in the long-term interest of the company and of Irish journalism that this matter is addressed as a matter of urgency.”