A Norwegian website has claimed that it is in possession of the personal data of more than 250,000 football fans which were sold on the black market by an employee in the FIFA system.
Dagbladet reported that the lists it was in possession of contained the full name, date of birth and passport number of fans who attended the 2006 World Cup, as well as detailed information about which games they had tickets to and where they were seated.
It said there is information on about 81,444 ticket holders, of which around 60,000 of those are listed with their personal information. It also said that the lists it is in possession of are worth €50,000, and that the lists are only a small part of the total amount of information up for sale on the black market.
The story claimed that Dagbladet had read several emails in which an employee in Match Hospitality, FIFA's official ticket provider, offers tickets lists for sale to a major player on the black market. In April 2009 the seller wrote: “Did you receive the offer for the database you were interested in – €2.5 per contact? There is possibility to sell the contacts for separate regions too.”
Then, on 11th August, another message read: “Now I am in the official sales of the VIP areas for FIFA 2010 in South Africa, working directly for official FIFA provider Match.” Dagbladet said that it had confirmed the identity of the seller.
Jaime Byrom, chairman of Match Event Services and director of Byrom, was reported as saying that he finds Dagbladet's revelations hard to believe. He said: “FIFA, Match and the corresponding line of control take every possible step to prevent the unauthorised sale of tickets.”
He denied awareness that detailed ticket information was being sold, and when asked if Match has enough control over who has access to such information, he said: “We believe so and have no reasons to believe otherwise, other than through the representations you have made.”
Among the names were Svein Gjedrem, the current governor of the Central Bank of Norway, who confirmed that he was present at the matches in question but had no clue that his personal information was for sale on the black market. Also present was the former Prime Minister of Sweden Ingvar Carlsson and former Minister of Integration Jens Orbäck, who said: “I don't like this at all. As a former minister this is also a security issue.”
Tommy Theorin, secretary general of the Swedish Football Association, also listed along with several close family members, said: “I'm frightened. I'm glad I've changed my passport since 2006 — I did definitely not expect FIFA to have so little control. This kind of information has to be treated confidentially.”
On the lists seen by Dagbladet, there were no details of UK residents, but it claimed that there are more lists on the market.
Edy Almer, VP of product marketing at Safend, said: “The news of the FIFA database being stolen and sold on – merely highlights the need for companies to broaden their attitude towards data loss. Risk management is crucial and cases such as this demand the need for effective management processes and education surrounding data loss protection.
“A DLP system would have likely detected the leak and protected stake holders from the consequences. Companies should make certain that data has been encrypted, and securely audited/logged. In doing this, misplaced data can be accessed and tracked by IT departments and in due course; can be destroyed to avoid the information landing in the wrong hands. Organisations need to ensure that data is properly stored, secured and encrypted to prevent a loss of this kind.”
The Information Commissioner's Office (ICO) said that it was made aware of the Dagbladet article, which does not list any personal details of England fans, but claimed that 35,689 details had been unlawfully traded for profit.
A statement said: “We have contacted FIFA regarding the allegations and will be liaising with the organisation further as we move forward with an investigation. Our initial enquiries suggest that the information in question consists of the name, date of birth and passport number of approximately 7,200 individuals.
“The unlawful trade in people's personal information is a criminal offence under section 55 of the UK Data Protection Act. We appreciate that England fans who bought tickets for the World Cup in 2006 are keen to understand whether their privacy has been affected as a result of this incident.”
Amichai Shulman, CTO at Imperva, said: “Although this was clearly illegal, it also calls into question the internal security practices within football's international governing body whose IT managers really should know better.”
He said that the incident could have been avoided if FIFA had monitored and secured the access to football fans' personal data by their staff, as well as the association's files and databases.
“By allowing only carefully controlled access to data, the rogue member of staff would have realised s/he could not get away with accessing the information in the first place. The employees did not hack into the database; it was an internal attack where they abused normal functionality and privileges granted to them. This was probably a case of over privileged users, as these low level employees probably should not have been granted access to that data in the first place,” he said.
“A lot of organisations forget about what data is stored in their systems, especially from four years ago. The ticketing agency may not even have been aware that they had a database containing this data. However, according to international law governing the exchange of information, the data should have been deleted. This is a problem many enterprises face – they do not know where to begin, where all the sensitive data that is stored, what should be kept and what needs to be deleted.”
“Furthermore, I would assume that there is a large turnover of ticketing agency employees in four years, can every single employee since then up until now have gained access to this data? What about passwords, were they even changed during this time period? A very important question: who has access to the data? Did every employee have access rights to the sensitive data?”
Update - A statement by the ICO on the 13th January 2011 said that Dagbladet alleged that personal information, including the passport details of 35,689 ticket purchasers from the UK were included on a database that had been sold to an organisation in Norway.
An investigation found that the ticketing database was created by a company in Germany working on behalf of the German Football Association and the FIFA World Cup Organising Committee in Germany. Subsequent enquiries were also made by the Norwegian Data Protection Authority on behalf of the ICO.
Mick Gorrill, head of enforcement at the ICO, said: “The ICO has concluded that there is no evidence to suggest that any person has unlawfully obtained personal information within the UK, or that any person or organisation has breached UK data protection laws. We have no reason to believe that the passport details of ticket purchasers from the UK are at risk.”