FIFA employee sells personal details of fans who bought world cup tickets

A Norwegian website has claimed that it has the personal data of more than 250,000 football fans who were sold World Cup Final tickets by an employee of FIFA.

Dagbladet says the list includes the full name, date of birth and passport number in each case and was built up from the sale of tickets for the 2006 World Cup.

The point here is that these tickets should never have gone onto the market – they were filtered out of the official selling system and offered by a Fifa member of staff at “Match Hospitality” (an official supplier of tickets).  Either he/she kept the records and then sold them or his/her records were lifted from the office and then sold.   It is alleged at every single world cup that vast numbers of tickets are sold in this way.

It is also being suggested that this list is just a snippet – a tiny element of the amount of private data available for sale about individuals.   The data is sold at around €2.5 per individual.

Even more worrying than the claims (which do give a lot of backup information) is the fact that Jaime Byrom, chairman of Match Event Services is reported as saying that he finds Dagbladet’s (the web site) revelations “hard to believe”. He said: “FIFA, Match and the corresponding line of control take every possible step to prevent the unauthorised sale of tickets.”

Anyone who has ever worked with data for more than a day must know that the one certain thing in a digital world is that data escapes and is sold.  Daily readers of SC Magazine (a prestigious on line reporting service) get treated to a daily update of who has lost what data, and the lists are horrendous.  In the UK military personnel, ordinary citizens’ passport numbers, holders of bus passes, which families are on benefit, bank customers – and of these details have been lost or stolen in the past year.  If it is on a computer, someone has lost it and someone else has stolen it.

But such awareness has not reached Fifa.   When asked if Match has enough control over who has access to such information, Byrom said: “We believe so and have no reasons to believe otherwise, other than through the representations you have made.”   As a statement of complacency that is overwhelming.  We are, after all, living in an era where people leave memory sticks containing military secrets on trains.

What is interesting is that in all his denials Byrom did not make a single mention of having an encryption system in place, which anyone working with data would always say is the first step.   What Byrom could have said was, “our encryption system shows us who has accessed the data, and who has tried to break the system.”  I doubt he even knew about such things.

Svein Gjedrem, the current governor of the Central Bank of Norway, is on the list and has confirmed he was present at the matches he is listed at.  The former Prime Minister of Sweden Ingvar Carlsson and former Minister of Integration Jens Orbäck, are also on the list plus the secretary general of the Swedish Football Association, and several of his close family members.

The Information Commissioner’s Office (ICO) has contacted FIFA regarding the allegations and will be liaising with the organisation further as we move forward with an investigation. Our initial enquiries suggest that the information in question consists of the name, date of birth and passport number of approximately 7,200 individuals.

“The unlawful trade in people’s personal information is a criminal offence under section 55 of the UK Data Protection Act. We appreciate that England fans who bought tickets for the World Cup in 2006 are keen to understand whether their privacy has been affected as a result of this incident.”

What should happen in a secure system is that there is a log showing who has access to what and how and when, and in that way anyone thinking of getting into a system knows that they will leave a fingerprint.
But given the way Fifa operates at all levels what probably happened here is that people who should not have access and did not need to have access, found that they could lift the data, copy it to a memory stick, and walk out of the office.

Certainly immediately after the event the data should have been deleted – and the fact that it is on sale now suggests that it wasn’t.  After all if the crime had been committed in 2006, why wait until now to start selling the personal details and passport numbers?

That implies that a whole raft of people have been able to walk into the ticketing offices and lift private and personal details of people who bought world cup final tickets.  So we really don’t know who has access to the data from 2006 nor from 2010.

If you bought a ticket from a Fifa agency for either event, it might not be a bad idea to start changing every password you have, while informing people such as the driving licence authority and passport issuing authority that your details may be compromised.

Arsenal v Braga

Coming shortly, Phil Gregory’s preview.

Arsenal vs the Arsenalistas. Billy the Dog’s match preview and commentary on the issue of the players’ car park.

Have we really improved? An early comparison between seasons

The injury index: how Arsenal’s injuries compare with the other senior clubs?

The comparison: If injuries are bad now, was it much better in the past?  90 years ago our keeper had to play at left back with a damaged wrist.  40,000 turned up to watch.

4 Replies to “FIFA employee sells personal details of fans who bought world cup tickets”


    Man… that one nearly slipped under the radar! How is this NOT front page news?!

    You should also mention that:

    “Match Hospitality, owned in part by a media company run by Philippe Blatter, nephew of the Fifa president, Sepp Blatter, won exclusive rights to sell ticket hospitality packages at the 2010 and 2014 tournaments three years ago.”

    What.. FIFA – with their reputation?!?! Surely no!

  2. Casual observer,

    It’s all in the family…. But I guess that is typical for every dictator. They help their relatives and family to jobs, money or what ever they want or need.

  3. Well I will never give them any of my hard earnt money anyway so they will never have my ID.
    But this shows that they are very negligent and cannot be trusted.

Comments are closed.