GAA confirms data breach incident

dcr22B

Now this is serious!

http://www.irishtimes.com/newspaper/breaking/2010/1210/breaking31.html

MassDeb8r

I am the secretary of a GAA club and was sent this today.

---

A Chara,

We are writing to advise you that Servasport Ltd., has informed the GAA that there has been unauthorised access to the GAA membership database.
Servasport Ltd., a Belfast based company that develops and maintains the GAA membership database, has issued an unreserved apology to the GAA and to our members.
The GAA became aware of the data breach when it was informed on the 19th November 2010 that disks containing the database had been received by the Office of the Data Protection Commissioner and the GPA, who immediately passed the disk to the GAA. The Information Commissioners Office in Belfast also received a disk.

An investigation is being carried out by the Police Service of Northern Ireland and in order to facilitate this investigation the GAA has been unable to inform members until today.
The database contains names and addresses of 501,786 members.

In relation to these members the database holds:

288,511 dates of birth
107,212 mobile numbers
63,695 landline numbers
30,171 email addresses
In the case of 544 members, the database contains a reference to a medical condition and the GAA is writing directly to each of these members setting out the information recorded about them.

167,157 of the members on the database are under 18 years of age. It is GAA policy that mobile phone or email details of persons under 18 years of age should not be stored on any database. The policy states that any such communication should be via the mobile phone or email address of their parent or guardian.

No other GAA IT system is affected by this incident. The database does not contain financial or any other information.
This matter is being taken very seriously by the GAA:
The GAA is working closely with the Office of the Data Protection Commissioner, the Information Commissioners Office and the Police Service of Northern Ireland
Deloitte has been engaged to undertake an independent review of Servasport and other suppliers of IT to the GAA
All clubs have been sent this email
The GAA has set up an Information Line
Any member or any parent/guardian with any questions, or who wishes to establish whether data relating to them has been affected by this incident, should contact the Information Line on Lo Call Number : 1890 987 807 or 0800 0114787 (from Six Counties) 8am to 8pm daily.

The compilation of the GAA database is the result of enormous effort by our volunteers across the country. The GAA greatly regrets that this incident has occurred. We would ask for your help by informing your members of the contents of this email.
Páraic Ó Dufaigh
Ard Stiúrthóir

--
GAA Communications Department
Guthán 1 / Tel 1: +353 (0) 1 836 3222
Faics / Fax: +353 (0) 1 836 8420
http://www.gaa.ie
GAA, Páirc an Chrócaigh, Baile Átha Cliath 3 / GAA, Croke Park, Dublin 3

dcr22B

Can one of the mods merge this with the thread I started below?

Clareman

Threads merged.

cartwheel

Probably related,
but the CEO of Servasport had his laptop robbed around the turn of the year, it contained all of the information that was stolen in the article above. At the time, the CEO should of reported the stolen laptop to the Data Protection Agency but didn't.
A disgruntled ex employee leaked this information to a few people, I'd say its the same fella who sent the discs to the Data Protection Agency today. When they say hacked in the report, its misleading, its more likely the person still had a login to the system.

Big Badger

cartwheel wrote: »

Probably related,
CEO should of reported the stolen laptop to the Data Protection Agency but didn't.
A disgruntled ex employee leaked this information to a few people

good lord !
how do you know all this ? ! ?

Peace

Oh fantastic. If the risk of identy theft wasn't bad enough this sort of sh1te makes it just too easy for criminals.

cartwheel

Big Badger wrote: »

good lord !
how do you know all this ? ! ?

Digruntled ex employee, probably the same guy who got arrested sent the email to a few people, think his email address was irishsportsfan or something. It was actually reported in the independent during the summer but was on page 26 under a sub heading or somewhere arbitrary like that.

imnewhere

cartwheel wrote: »

Digruntled ex employee, probably the same guy who got arrested sent the email to a few people, think his email address was irishsportsfan or something. It was actually reported in the independent during the summer but was on page 26 under a sub heading or somewhere arbitrary like that.

Hi Cartwheel

Do you have a link to the post in the independent - would like to get a read at it?


Cheers,

Conas

Ah sure it's nothing too bad. A few phone numbers and email addresses is nothing that you couldn't find somewhere else if you looked hard enough. A load of fuss over nothing, considering it was done by an ex employee.

tut tut

I disagree with you Conas. Personal details are personal I am not happy about my details being in the hands of people I don't want. Its more than just emails and phone numbers its my address and date of birth as well and my childrens details as well.

The main issue I have with this is this is not the first time there has been an issue with the GAA members data security. I remember that email to our county board from an anonymous source and a later GAA press release in the Irish Independent about an employee of Servasport that lost his laptop with GAA membership information on it. Both the GAA and Servasport denied this to the ground at the time but here we are again and this time the info is out there so there can be no denying it. Were they so desperate to get this database up and running they were willing to ignore this suspected earlier breach

So A

Either Servasport and/or the GAA lied and the information was lost and its only coming back to bite them in the ass now

Or B

They had a clear warning about this maverick ex employee (I am assuming it was him in both instances) and he was still at a later stage able to go in and get membership data which smacks of incompetence from both the GAA and Servasport

imnewhere

HI Tut Tut,

Dint suppose you have a link to the Independent article on this, or even know / remember what date it was published on ?


PS - my money is on option A

Cheers

X files

Very worrying and lax never mind dangerous what was the Belfast guy thinking not reporting it properly.

Mervyn Crawford

The GAA will be compiling any personal data they can get because of it's use.

Clubs will be keen to inflate membership to avail of as much grant monies etc.