Saturday 21 April 2018

Privacy fears prompted executive's switch to personal email account

Robert Pitt and Leslie Buckley during the INM AGM in the Westbury Hotel in June 2015. Photo: Frank McGrath
Robert Pitt and Leslie Buckley during the INM AGM in the Westbury Hotel in June 2015. Photo: Frank McGrath

Dearbhail McDonald and Shane Phelan

The former chief executive of the country’s largest media publisher claims he stopped using his company email address due to concerns about the privacy of his communications.

The corporate enforcement watchdog maintains Robert Pitt, former CEO at Independent News and Media (INM), switched to using his personal email account for recording notes of events.

INM, which publishes the Irish Independent, is at the centre of a major data breach controversy.

A list has emerged containing the names of 19 people, who it is feared had their emails searched by outside companies.

The list included two distinguished ‘Sunday Independent’ journalists, Brendan O’Connor, the newspaper’s deputy editor, ‘Life’ magazine editor, and a successful television and radio presenter, and his colleague, respected investigative journalist Maeve Sheehan.

According to an affidavit filed with the High Court by the State’s corporate watchdog, Mr Pitt says he switched to a private email account “on the basis that INM had a track record of reviewing former directors’ emails”.

The claims were said to have been made in August 2017 when Mr Pitt brought concerns about the alleged data breach at the company to the attention of the watchdog, the Office of the Director of Corporate Enforcement (ODCE).

ODCE director Ian Drennan is now seeking to appoint inspectors to INM to investigate a range of corporate governance issues, including the suspected data breach.

Mr Drennan says INM’s IT back-up tapes were removed from its premises to a company outside the jurisdiction in October 2014, where they were “interrogated” over what appears to have been the course of a number of months.

The data is alleged to have been accessed by six companies external to INM.

It is unclear why the 19 names were on the list, but Mr Drennan claims data relating to a number of former and current staff, including journalists, may have been interrogated during this exercise.

The data interrogation, the ODCE alleges in its affidavit, was directed by then INM chairman Leslie Buckley.

Two invoices associated with it were paid by Blaydon Limited, an Isle of Man company whose beneficial owner is businessman Denis O’Brien, INM’s largest shareholder and a long-term business associate of Mr Buckley.

Neither Mr Buckley nor Mr O’Brien have commented.

According to Mr Drennan’s affidavit, Mr Pitt’s concerns about the privacy of his emails were driven by a conversation he had with an INM employee.

This person, he said, told him that they had “previously used IT privileges to look into other people’s accounts or copy to third persons data from the servers”.

According to a disclosure made by Mr Pitt to the ODCE, this same person informed him in May 2015 that they were “very worried and concerned about something”.

They went for a walk on the street outside INM’s premises in Dublin and Mr Pitt was informed that a third-party company was given access to INM’s servers. Mr Pitt was also informed a Derek Mizak was involved in the work.

When one of the companies suspected of involvement in the alleged data interrogation, TDS UK, sent an invoice to INM in December 2015, Mr Pitt contacted Mr Buckley.

According to the affidavit, Mr Pitt said Mr Buckley told him to contact a person called John Henry, who could resolve the matter.

Mr Drennan’s affidavit says Mr Henry is the chief executive of a company called Special Security Services Limited and that he believes Mr Henry ran the data interrogation.

Mr Buckley has previously told the High Court that Specialist Security Services provided certain security services to him and that Mr Henry was the person who initially introduced him to Mr Mizak, an IT expert, in order to assist with what Mr Buckley described as a “cost-reduction exercise” at INM.

The affidavit says Mr Pitt told the ODCE he made it clear to Mr Buckley there was an issue regarding the nature of the work and that neither he nor INM’s chief financial officer Ryan Preston had clarity “of what it led to”.

These concerns were not allayed when Mr Pitt subsequently spoke to Mr Henry by phone.

The invoice was subsequently discharged not by INM, but by Blaydon, Mr Drennan says.

Following Mr Pitt’s disclosure of the suspected data breach to the ODCE in August last year, the watchdog wrote to INM. On August 22 last, the company’s board appointed Deloitte to conduct a review of the circumstances relating to the extraction of the data and its provision to third parties in October and November 2014.

The Data Protection Commissioner (DPC) was also informed  of “a potential data security incident” on August 27.

Premises

According to Mr Drennan’s affidavit, Deloitte was asked to ascertain what INM files were accessed, what work was carried out at INM’s premises and what files were provided to TDS UK.

The scope of its examination was limited to the period October to December 2014.

He said its terms of reference did not extend to ascertaining what accessing occurred in locations other than INM’s premises and by whom.

Deloitte was advised INM’s back-up tapes were returned from TDS UK in Wales “prior to Christmas 2014”.

The consultants found the engagement of Mr Mizak had not been supported by an engagement letter or formal terms of reference and a recommendation was made that any engagements with third parties should be underpinned with an engagement letter.

Deloitte also noted that although senior management had concerns regarding the data interrogation, these concerns had not been escalated.

In the affidavit, Mr Drennan says Mr Mizak has connections with the Reconnaissance Group.

This firm provides security services to clients doing business in emerging markets. According to Mr Drennan it has connections in Haiti with Digicel Haiti, of which Mr Buckley is vice-chairman.

Mr Drennan claims INM’s reaction to the incident was “unsatisfactory”.

“While it commissioned a report into the data interrogation by professional services firm Deloitte, INM downplayed the seriousness of the data interrogation in its subsequent correspondence with the Office of the Data Protection Commissioner,” Mr Drennan alleged.

INM has declined to comment.

Irish Independent

Business Newsletter

Read the leading stories from the world of Business.

Also in Business