The alleged data breach at Independent News & Media, in which thousands of emails from journalists, senior staff and advisers were accessed, was not carried out for the reasons originally claimed by the publisher, a new report has found.

In multiple sworn affidavits to High Court president Mr Justice Peter Kelly, the media group previously said the alleged breach was due to a wish to examine legal contracts as part of a cost-cutting exercise. However, the report from Deloitte, which conducted a review of the security incident for INM’s board, has confirmed that this was not the reason for the alleged data breach.

“Deloitte found that the purpose of the data interrogation was for a purpose other than seeking details regarding the terms and value for money of a particular long-term contract for legal services as had previously been advised to the INM board,” the media group’s chief legal officer, Paul Vickers, stated in a letter sent to those affected last week.

The letter, seen by The Irish Times, states that Deloitte had not found any evidence to suggest that members of the INM board were aware before March 2018 that the breach was for a different purpose than previously advised.

Former INM chairman Leslie Buckley, who stepped down in March 2018, previously claimed the breach was a cost-cutting exercise called Operation Quantum.

Ian Drennan, who leads the Office of the Director of Corporate Enforcement, said earlier this year that the purpose of the data interrogation “remains unclear but certainly appears to be suspect and requiring further investigation”.

Group of 19

The so-called INM 19 group whose data is alleged to have been “interrogated” includes several current and former INM journalists, such as Sunday Independent writer Brendan O’Connor, and Sam Smyth, a former INM journalist who reported on former majority shareholder Denis O’Brien’s involvement in the Moriarty tribunal.

It also includes former INM chief executive Gavin O’Reilly and former director of corporate affairs Karl Brophy, who are taking their own legal actions over the alleged interrogation of their data.

According to the letter sent last week by INM, the breach went on for far longer than first reported, with Deloitte indicating it continued past December 2014 and may have been ongoing for up to a year later.

In addition, Deloitte concluded that more companies were involved in the managing and carrying-out of the data interrogation than first advised to INM’s board. The incident is known to have taken place in late 2014, with INM reporting a major data breach to the Data Protection Commissioner in August 2017.

INM is taking legal action against Mr Buckley over the circumstances surrounding the alleged data breach, which involved information in company emails being copied from servers and taken out of the country to be analysed by third parties.

According to Mr Vickers’s letter, some key players refused to engage with the investigation, “which frustrated efforts to obtain further details”. He went on to say the media group was “disappointed that it was not possible for Deloitte to uncover further information ... due to the lack of co-operation provided by certain individuals.”