BACKGROUND: Data leak allegedly came from a man who held a grudge
against the Belfast-based database firm
THE THEFT of the GAA’s membership database is unlikely to lead to
identity theft, the Office of the Data Protection Commissioner has
said.
The database contains the names, addresses, phone numbers, e-mail
addresses and, in a small number of cases, the medical records of
every single member of the GAA.
The theft is now the subject of a criminal investigation by the PSNI
who have already arrested a man and released him on police bail
without charge.
Sources close to the investigation say the security leak came from a
man with a grudge against Servasport Ltd, the Belfast-based company
that was maintaining the database on behalf of the association.
A statement from the company said the PSNI were making “good progress”
with the investigation and they were confident “no misuse of the
information” had taken place.
The company also apologised to the GAA and its members.
Data Protection assistant commissioner Diarmuid Hallinan said from
what they knew of the investigation, the information that was stolen
was not subsequently used for criminal purposes.
He said the absence of financial information or personal password
details from the files that were stolen would make it highly unlikely
that it could be used to access somebody’s bank account.
“It is not impossible, but our view is that this would be best used
indirectly to gain access to information,” he explained.
The commissioner has advised GAA members to be cautious in not
disclosing any more information if they receive unsolicited contacts
through the post, over the phone or through e-mail that refer to their
association membership.
Information security consultant Brian Honan said the information on
its own was “low risk”, but he would be concerned that personal
medical information could be misused if it fell into the wrong hands.
The data is compiled by every GAA club and collated centrally to aid
the registration of players who move from club to club.
Ex-GAA president Nickey Brennan, who is the chair of the association’s
IT committee, said they had employed consultants Deloitte to look at
Servasport and other suppliers of IT to the association.
He moved to reassure members that the database was not hacked by any
sectarian element inimical to the GAA as many members in the North
would be sensitive about their addresses being public knowledge. He
described the motivations of the person involved as “interesting”
given that it was still a mystery why copies of the database were sent
to the data information commissioners north and south of the Border
and to the Gaelic Players Association (GPA).
“Trying to understand the psyche of the individual is something that
is exercising people’s minds at the moment. We are hoping that a
subsequent investigation by the police will get to the bottom of it,”
he said.
The players association handed over the tape to GAA headquarters on
November 19th and the information was not disclosed until yesterday at
the request of the police service.
GPA spokesman Seán Potts said: “We’re aware of the seriousness of the
matter and we’re satisfied that the authorities are dealing with it
properly.”
Mr Potts said they had “no idea whatsoever” why the GPA was sent the
database. “As far as we are concerned we received a disk and we passed
it on to the authorities immediately.”
One GAA club secretary and coach, who did not wish to be named, said
the hacker had done the association a favour by exposing its lax
security protocols.
“I’m dismayed. Not having this information encrypted properly is
unforgivable, I’m absolutely livid,” he said.
He went on to say that though the GAA has a policy that the mobile
phone numbers or e-mail details of minors under the age of 18 should
not be stored, in reality they are often collated by club secretaries.
The association has written to the 544 members who have had their
medical conditions detailed on the database. They have also set up a
helpline for those who are concerned about the information contained
on the database. The number is 1890 987 807 for the Republic and 0800
0114787 for Northern Ireland.
THE DATA: NAMES AND NUMBERS:
501,786
names and addresses of members
288,511
dates of birth
107,212
mobile numbers
63,695
landline numbers
30,171
e-mail addresses
167,157
of the members on the database are under 18
544
the database contains medical information about 544 players
No comments:
Post a Comment