The State’s corporate watchdog warned there were “very serious public interest issues” concerning the freedom of the press arising from a suspected major data breach at Independent News & Media, court records show.

Director of Corporate Enforcement Ian Drennan raised concerns in legal papers filed with the High Court that INM journalists’ communications may have been accessed by unauthorised third parties in an alleged data security breach at the State’s largest media company in October 2014.

This was one of the reasons cited by the director, who investigated INM for a year, in his claim that the company needed to be investigated further by court-appointed inspectors.

In his lengthy affidavit to the court, Mr Drennan has said that personal data and other “highly sensitive” data such as journalists’ confidential communications with sources may have been on back-up IT tapes that were taken from INM’s premises, removed and interrogated by external companies outside the jurisdiction.

The corporate watchdog wants inspectors appointed to find out why it appears data was removed from INM’s premises and subjected to a months-long “interrogation” on the instruction of the then INM chairman, Leslie Buckley, and paid for by an Isle of Man company beneficially owned by INM’s biggest shareholder, Denis O’Brien.

Authorisation

The inspectors, he argues, would seek to establish whether those who played a role in accessing INM’s IT data had the necessary authorisation or appropriate legal basis and if so, the implications for INM, its directors and “the relevant data subjects (including journalists, given the particular nature of their work)”.

“A free press is a cornerstone of a functioning democracy and journalists’ communications have a particular status in that regard. As such, allegations of accessing of journalists’ communications by unauthorised third parties raise very serious public interest issues,” Mr Drennan in his affidavit.

The ODCE provided evidence to the court suggesting that named current and former INM journalists were listed as “persons of interest” in searches of the data by outside cybersecurity and IT consultants.

Data interrogation

Mr Drennan’s affidavit refers to February 2015 emails that appear to be about the data interrogation circulated among Mr Buckley’s personal security consultant John Henry; cybersecurity expert Derek Mizak; Keith Duggan, who has worked with Mr Mizak; and two executives of a company called TDS – Ron Cole and Robert Breen.

The sworn statement to the court states that attached to the one or more of the emails with the subject line “persons of interest” was an Excel spreadsheet, which is described as “6 February Request: Targeting 19 users/names – initial analysis 19 Users Requested, 3 previously targeted. 16 new users targeted.”

‘Requested users’

Data within the spreadsheet includes the term “requested users” containing a list of 19 names that includes journalists Maeve Sheehan and Brendan O’Connor of the Sunday Independent, and Sam Smyth, the former Irish Independent journalist who wrote extensively about Mr O’Brien.

The Excel spreadsheet includes a reference to “email hits (exchange databases)” against eight of the 19 names, including against the names of the journalists.

TDS last night in a statement challenged some of the assertions of the ODCE as reported by the media.

The company stated, “TDS were engaged to provide specialist data restoration services at the INM office in Dublin and thereafter at our facility in Wales due to the volume and incomplete organisation of the data tapes at the INM offices.

“TDS restored data from the INM backup tapes and returned the data and tapes and had no further role in the matter.”

It added that, as with every client engagement, “TDS adhered to its strict data protection and security protocols and accordingly TDS never released data to any third party.”

The National Union of Journalists expressed “grave concerns” earlier this month about the threat to the confidentiality of journalistic sources in light of the ODCE’s claims about the alleged data protection breach.