Rogue Employees Sell World Cup Fans' Passport Data

An anonymous reader writes "Reports are coming in that the Information Commissioner's Office has started investigating FIFA, the world football governing body, over allegations that details of thousands of World Cup fans' — including their passport data — were accessed by one or more members of staff and then sold on the black market. It is alleged that the details of more than 35,000 English fans — who visited Germany for the 2006 World Cup — had their passport and allied data sold to ticket touts for marketing purposes."

One more reason just to kill scalpers.

[sethstorm]

It is alleged that the details of more than 35,000 English fans -- who visited Germany for the 2006 World Cup -- had their passport and allied data sold to ticket touts for marketing purposes."

No wonder, they're scalpers.

Re:One more reason just to kill scalpers.

[Darkness404]

Um, I really don't see whats so bad about "scalping" tickets. If people are willing to pay more than the listed price, let them. Now, granted, selling personal data is bad, but scalping isn't. Its simply the free market at work, if I've got something I bought at $5, why should I -have- to sell them at that price? If someone wants to spend $10, $20, $50 on them, let them.

Re:

[SudoGhost]

Because then that promotes someone buying 100 tickets at full price, and selling them for double. That takes away from 100 people who were going to be able to buy tickets at full price.

Re:

[Darkness404]

...Then they should be priced double that. The only reason scalpers exist is because there is an imbalance between what people are selling something for and what they are worth. Why should I be outraged that Bob's Arena is selling Justin Bieber tickets for $40 but people are willing to pay $80 for them? And it isn't like these are any sort of vital resources like gas, oil or water. I really see nothing to be outraged about, should I also be outraged that some people go to garage sales and get baseball cards

Re:

[shentino]

I'm curious if scalpers sell more or less tickets than the original vendors would have sold had they used the scalper's prices to begin with.

The question is, do the scalpers inflate the prices artificially by monopolizing the supply?

Re:

[sjames]

Another factor is the sold-out cred. The optimum price (defined purely economically) will tend to leave a few unsold seats. There is a lot of cred in the entertainment world to selling out an event. Not selling out is seen as a sign of flagging popularity.

in baseball...

[KingAlanI]

The Boston Red Sox make a point of making their ticket prices a bit low, so that they get credit for a sell-out as the scalpers pick them up; this also moves unsold-ticket risk form the owners to the scalpers.

Figures; I got the tix for the 2 games I went to off StubHub.

Several dozen games in the same place might be different from concerts spread out over the country/continent/world (with 1, maybe 2 or 3, stops per city), I don't know.

Re:

[sjames]

Somehow, I doubt the Sox would have much trouble selling out Fenway even without the scalpers. It's not that big a park for such a popular team.

In fact, they'd look even better without scalpers since with them, not every "sold" ticket means a filled seat. Without scalpers, it would. Not that I see a whole lot of empty seats anyway.

Re:

[KingAlanI]

I believe I read about this in dead-tree form, so I don't have a link handy.
Maybe it's a *slight* discount essentially offered to the scalpers to work according to the mechanism described.

Yeah, Fenway at a shade under 40K is one of the smallest parks in major league baseball.

Indeed, I saw very few empty seats when I was there on July 3 and 4. (I got in on a cheaper standing room only ticket each day; I found an empty seat in the upper grandstand rows. Both times, it was filled by someone several innings lat

Re:

[hedwards]

That's bullshit. The reason why scalpers exist is because the ticket sellers allow the tickets to be bought up in huge quantities before people have the chance to buy them. People pay it because they have little choice but to pay. With popular acts, the tickets are frequently sold out more or less immediately, leaving ordinary people with little chance to buy.

What you're suggesting is a little bit like buying up all the oil quickly, then gouging the hell out of it when the people without the means to get

Re:

[sjames]

Actually, there are limits. The scalpers often go to extremes in order to snap up huge quantities of tickets in lots of 10.

Re:

[Hognoxious]

I'm sure that if you know someone in the inside those limits can be bypassed.

Re:

[sjames]

Probably, but mostly they just initiate many many sessions and buy 10 tickets each. They do it a bit like the high frequency traders do on Wall street.

Re:

[Hognoxious]

Don't start me off, or I'll mention that ticketbastard [wikipedia.org] are just legalized, certified and officially authorized scalpers.

If you reply to this post, I'll charge you 28 million dollars response processing fee, 15 million dollars credit card processing fee (unless you don't pay by credit card, in which case I'll charge you 98 trillion dollars for something else).

And if you don't reply, I'll charge you 17 million dollars unresponsivitynesstude surcharge. And if you complain about that ... see above.

Re:

[eyrieowl]

Perhaps the ticket sellers could do more...although I'd imagine the only thing that would be likely to work is to require that all tickets have a name associated with them at time of sale, and that only the named party is able to use them. Barring that...it's a distributed attack. The scalpers can get thousands of people to buy tickets on their behalf for a small payout, and then they can take ownership of those tickets and resell them at a high premium. How are the ticket sellers suppose to know that Bo

Re:

[Mr. Freeman]

Yes, one of these products is necessary and the other is not. However, you haven't demonstrated how the ECONOMICS of the situation are different in any way whatsoever. Your argument is a red herring.

The argument is that scalpers monopolize the ticket supply, which is like oil sheiks selling the oil at inflated prices. Your response is that because one product is necessary and the other isn't the entire comparison is absolutely insane.

So, I'll start the argument again. I assert that ticket scalpers monop

Re:

[Darkness404]

It isn't an inflated price though. It is simply the market price. Who is to say what a front-row ticket to see Justin Bieber is worth? If someone wants to pay $100 for it, then let them. If the original tickets cost $50, its simply under-priced to what the market is willing to pay. Ideally the arena hosting the event would charge market price, what people are willing to pay, but they don't so there in an imbalance.

The parent poster wasn't going off on a tangent, he was simply stating that monopolizing o

Re:

[lul_wat]

Just because you can be a cunt, doesn't meant you have to be.

Re:

[eyrieowl]

Well, you can certainly choose to feel otherwise, but if the provider of the entertainment I want to attend wants to sell the tickets to their event at a price which I am able to pay, and some douche does an end run around the provider's restrictions to monopolize the supply and then sells those same tickets for a price I'm not able to justify paying...I get a little ticked by that. If a band/team/whatever else wants to give their fans an equal shot at being able to attend their event, they should be able

Re:

[ooshna]

considering i just paid a hundred bucks for a framed last peanuts comic i think i have to say. stupid people will pay money for anything.

Fixed that for you.

Re:

[phantomfive]

It's because if I'm going to pay $500 for a ticket, I want it to go to the artist, not to some guy who is fast on the phone and managed to get 5000 tickets so he could make 10 times what he payed for them. I'd also prefer it if the tickets were distributed fairly, not based on who has the most money to bid on them.

Re:One more reason just to kill scalpers.

[sjames]

It's because nobody likes leaches that jump in the middle of a transaction and grab money from both sides. Such people contribute nothing and so should gain nothing.

If the tickets were an unlimited resource, few would care, but more typically the scalpers descent and snap up all of the tickets leaving people no choice if they want to see the event.

The original seller may well have an interest in the affordability of the event. For example, it's strongly in their best interest to not have fans give up on getting tickets ever again and lose interest.

Re:

[Jurily]

but more typically the scalpers descent and snap up all of the tickets leaving people no choice if they want to see the event.

The problem is that a) there is a big difference in the ticket prices and their perceived value, especially the "last ones", and b) they can buy enough tickets to cause a problem. Scalpers merely buy low, and sell high.

Last time I heard, the entire world economy was based on that idea. Why does nobody object to the stock market?

Re:

[ooshna]

Plenty of people object to sleazy stock market practices. Does the term hedge fund mean anything to you?

Re:

[Anonymous Coward]

Scalpers will hawk events and pounce when tickets go on sale and buy MANY tickets. If you want to see the event and are at work, you won't have time to sit and refresh the screen over and over just to get two tickets. Scalpers have automated the buying and can pretty much buy the entire arena if they want. The "buy low and sell high" isn't all that is happening. It should be "buy fast and sell high". I've heard of a couple of events where scalpers bought more tickets than people who want to go see the

Re:

[sjames]

You haven't been paying attention. PLENTY of people object to one or more aspects of the stock market. Some object to the entire class of people who inhabit it.

Re:

[sjames]

No, we recently heard that as an excuse for people in power to bail out their friends at everyone else's expense. That and in the finance world, we have turned the whole thing over to 'scalpers'.

Re:

[Anonymous Coward]

Well, it depends: If you want only your richest fans to attend, yes. But sometimes there are sectors of fans who can only afford the lowest prices, and so tickets are priced accordingly. Yes, yes, it's not perfect capitalism, but it sometimes makes more sense to sell the $5 ticket to a kid who's going to come every week to the great games and the minor games, than the $100 ticket to someone who isn't all that interested in the team but wants just to see the one spectacle. Cheap tickets to major events can g

Re:

[bcmm]

Um, I really don't see whats so bad about "scalping" tickets. [...] Its simply the free market at work

This will anger a lot of American people, but the free market has been known to do things that are bad.

Make the punishment fit the crime

[humblecoder]

When they catch the people who did this, they should be forced to listen to those vuvuzelas at high volume until their ears bleed. That'll teach 'em.

Re:Make the punishment fit the crime

[socsoc]

On a serious note, if it's the second scenario supposed in TFA.... Keeping that sort of personal data for that long without any proper use for it shows either a heavy degree of incompetence or a desire to use it for their own promotions and that they are sour that "rogue" employees beat them to selling the information.

Re:

[SlashDev]

And why would the FIFA ask for passport data in the first place?

Re:

[KingAlanI]

Passport would make for a form of ID even if other forms (drivers license, whatever) would also be accepted.
Maybe it's a way to 'encourage' fans to take care of that rather important preparation for going overseas to the event.

Re:

[ooshna]

Probably to ensure that known violent football hooligans do not get tickets? I seem to recall reading some time ago that some of these violent hooligans were flat out banned from traveling to, let alone attending football games because their primary intent is to get drunk and brawl with rivals. And by brawl I don't mean a couple of drunks engaging in fisticuffs but mass fighting on a scale that we in the U.S. would call a riot.

That's b/c if any fight gets larger than a few people here in the U.S. a gun will almost always become involved.

Re:

[Winckle]

You almost sound proud of that fact.

Re:

[ooshna]

There is no pride in it and no shame in it. But there is a hell of a lot less property damage in it.

Re:

[mpe]

Probably to ensure that known violent football hooligans do not get tickets? I seem to recall reading some time ago that some of these violent hooligans were flat out banned from traveling to, let alone attending football games because their primary intent is to get drunk and brawl with rivals.

I'm sure some of these thugs are perfectly sober when they get up to their violence. Also it's for the police to keep them traveling.

Re:

[mpe]

Keeping that sort of personal data for that long without any proper use for it shows either a heavy degree of incompetence or a desire to use it for their own promotions and that they are sour that "rogue" employees beat them to selling the information.

It's more likely the former probably in terms of "We never thought about getting rid of the data we collected". Along with "We never considered making sure we only collected the minimum data we actually needed or the maximum period of time each datum needed

FUD...?

[quangdog]

from TFA:

"Furthermore, I would assume that there is a large turnover of ticketing agency employees in 4 years – can every single employee since then up until now have gained access to this data? What about passwords – were they even changed during this time period? And a very important question – who has access to the data. Did every employee have access rights to the sensitive data?" Shulman added.

Fear!
Uncertainty!
Doubt!
While I think the media does all they can to sensationalize ev

Re:

[Anonymous Coward]

Hippocrates much

Re:

[neonmonk]

M. D.
Medical Doctor.
Hippocratic oath.

You're the idiot.

Re:

[Dexter Herbivore]

Taking someone's joke a little too seriously there, aren't we?

Re:

[Kristopeit, M. D.]

being an idiot isn't funny.

i am not with you... there is no "we"... you're an idiot.

can't fight your own battles without fictionalizing a group that agrees with you?

you are pathetic.

Re:

[ooshna]

Now now boys get back to your desks before I have to call your parents. Michael what did I tell you about eating glue? I'm not going to give you a sticker at the end of class if you keep it up.

Re:

[Kristopeit, M. D.]

i don't need anything from you

you are NOTHING

Re:

[Kristopeit, M. D.]

ur mum's face have been reported to police.

Re:

[Kristopeit, M. D.]

ur mum's face is dickfuck

Re:

[Kristopeit, M. D.]

ur mum's face is funny.

Why would FIFA have this data?

[Kevinv]

Why would FIFA even have passport data at all? At what point to they collect passport data from attendees? What happens if you refuse to show them your passport?

Re:Why would FIFA have this data?

[therblig]

I believe it is because there are temporary and lifetime bans handed out to dangerously unruly football fans in Europe. The passport information is to help enforce these bans.

Re:

[Anonymous Coward]

Why would FIFA even have passport data at all?

I believe it is because there are temporary and lifetime bans handed out to dangerously unruly football fans in Europe. The passport information is to help enforce these bans.

According to the article they have a lot more than just passport data on fans, and it isn't just hooligans, its EVERYBODY!

Too bad this seems to be so normal that the article and most people on Slashdot seem to be taking this collection of data as NORMAL!

It's bizarre. If I ever go to a sports game and somebody asks me for my passport, d

Re:

[jhol13]

The data of those who are not banned need not be collected. But alas, it was.

Re:

[techno-vampire]

The data was collected because there was no other way to identify the hooligans.

Re:

[jimicus]

The data was collected because there was no other way to identify the hooligans.

No, the GP's right. You could enforce it just as easily by keeping a blacklist of names and passport numbers and simply use it as a comparison - without actually storing the number you're checking.

Re:

[Pastis]

Even better: a blacklist of hashed names and passport numbers.

Haven't they heard of shadowed information ?

Re:

[Geirzinho]

Absolutely! And it certainly doesn't need to be collected by private organizations either. If a hooligan commits a criminal offense, his data should be collected by the local police.

If a permanent ban from sports is needed, that information should be sent back to the authorities in the perpetrators home country according to international agreement.

For later matches, border control in the hosting country could then request a blacklist from each participating country.

Re:

[LotusNotesSupport]

good questions.

"Passport data"?

[John Hasler]

Why did FIFA have the "passport data" of fans at all?

Re:

[iwaybandit]

Transfer of event tickets is prohibited?

Re:

[John Hasler]

What's that got to do with passport data?

Re:

[iwaybandit]

The name on the ticket must match the passport. Either to reduce fraud or prevent scalping. Maybe all tickets purchased outside of South Africa were put on a "will call" list. This is purely conjecture on my part.

Re:

[iwaybandit]

Err, Germany.

Re:

[John Hasler]

> The name on the ticket must match the passport.

No need for them to record any "passport data". You show your passort when you pick up your ticket. Either the names match or they don't.

LOL parent marked insightful...

[ub3r n3u7r4l1st]

When did /. turned far right?

soccer bashing - come on now.

[KingAlanI]

they could just as easily bash your preferred forms of entertainment. Just as valid - or just as invalid.

How Dare They!

[Bob9113]

It is alleged that the details of more than 35,000 English fans -- who visited Germany for the 2006 World Cup -- had their passport and allied data sold to ticket touts for marketing purposes.

How dare they do this without being a corporation! Now I'm going to go use my Mastercard on Amazon, have essentially the same thing happen, twice, and nobody will say a word.

Admittedly, the passport data angle is a new twist, but the advertising companies that bought the data don't actually care about the passport numb

Re:

[jimicus]

Your credit card details can be changed in a flash at zero cost and relatively little hassle. It would be obvious very quickly if they were being abused and it's unlikely that a credit card on its own could be used as ID to take out other lines of credit.

Further, there's a mechanism to establish whether or not a card is valid built right into the entire system. How many merchants are still using those old-fashioned card swipers which don't connect to the bank? I think I've seen two in the last ten years.

Re:

[RobertLTux]

are you talking about the imprinter? (big thing where you lay the card down put a credit slip on top and make it go THUNK to prove you had the actual plate during the transaction) Just about everybody taking credit cards should either have one of those or know one of about a dozen ways to do the same thing.

Re:

[Kalriath]

Even for website merchants, they often have an imprinter and pads as backup. Hell, I've got imprinter pads (thanks Amex) despite having no actual terminal at all.

Re:

[John Hasler]

How dare they do this without being a corporation!

FIFA is a type of corporation.

Now I'm going to go use my Mastercard on Amazon, have essentially the same thing happen, twice, and nobody will say a word.

Have you considered the possibility that that just might have something to do with the fact that you know that this evil thing you are concerned about will happen when you use your Mastercard on Amazon but intend to do it anyway?

They must have a good alignment

[meteficha]

Are they caotic?

The Guardian covered this last week

[jayemcee]

http://www.guardian.co.uk/football/2010/sep/05/fifa-passports-claims [guardian.co.uk] The most interesting bit is that Sepp Blatter's nephew is involved with the company at fault.

This is what happens when companies are too big

[Anonymous Coward]

I've worked for several "big" companies, and this is a common problem:
1. Outsourcing - Has too much access, particularly the Philippines and India are getting access to peoples SSN's, I still wonder why the hell any company outsources their customer service when the only thing they can use to verify the account is a SSN. Good god. These people should only be provided with the customer's first name, and electronic verification only (eg that ASSET TAG number on your PC), not be re-verifying the account. Hell

No Primary Key

[Itninja]

What exactly does my passport data reveal about me? Here's what (with US passports anyway):

- My name (for common names, no big deal)
- My birthday (kinda private, but I give i
- My gender
- My birthplace
- Where I got my passport (issuing authority)
- Date validity (when I got it and when it expires)

That's it.

My name is not exactly a secret (I give it to total strangers all the time). Plus, it's a common one in the US, so (obviously) a lot of people have it.
My birthday is kind of personal, but there very little someone could do with it without having more data.
My gender is easily guessable once you know my first name.
My birthplace lists only the country, and not the city. Useless.
My issuing authority is even less specific: 'US Department of State'.
Date validity is also useless.

It's not as if my passport lists my SSN, home address, credit history, or anything else that can be used to steal my money or identity. Perhaps they have a lot more personal info in other countries' passports, but not in mine.

Re:

[lul_wat]

Presumably there is a delivery address attached to the ticket orders. Not that I RTFA TBH FYI.

Re:

[KingAlanI]

http://en.wikipedia.org/wiki/British_passport#physical_appearance [wikipedia.org]

TFA talks about English fans; the info in that passport seems to be similar to your list.

Re:

[jimicus]

It'll also have a passport number, which means there's quite enough on there to produce a fake passport. It may or may not pass muster at international borders, but it'd almost certainly be adequate ID at a bank.

Clue: Anyone who wants to purchase 30,000 valid passport details almost certainly has the resources to get their hands on genuine blank passports from the country of their choice and print them appropriately. The only clue that the passport they produce would be fake would be the photograph, and

Re:

[Itninja]

There would also need to be able to copy a signature well enough to fool a bank official; especially if they were withdrawing a lot of cash. And regarding photos, remember these are more than simple JPGs stored on the RFID chip. In order for a fake to be passable as a 'real' passport, it would also have to have the so-called 'ghost photo' on a different page; this photo is only readable under UV light.

Re:

[jimicus]

Which is why I said that anyone who wants to buy 30,000 sets of passport details almost certainly has the resources to deal with issues like that.

Even if it is an issue, it's only a problem in certain circumstances - maybe if you're entering a country with well-trained, smart customs officials who know most countries' passports inside out and can smell a rat at 100 paces. Put it this way, I wouldn't try to enter Israel on a fake passport.

Re:

[Itninja]

My rarely get a second look at my signature either. But then again, I am not withdrawing more a hundred bucks or so. Nor am I closing the money out of the account, getting a loan, applying for a new debit card, etc. What's more, all modern banks will scan all signed withdraw slips (and checks) and the computer does a quick probability determination on your signature against the one on file. I have noticed this whenever I am withdrawing large amounts of cash in person (seems like anything over $500) and tota

Re:

[John Hasler]

My birthday is kind of personal, but there very little someone could do with it without having more data. My gender is easily guessable once you know my first name. My birthplace lists only the country, and not the city. Useless.

All this is in your birth registration, which is public.

It's not as if my passport lists my SSN, home address, credit history, or anything else that can be used to steal my money or identity.

With the passport number, it's enough to produce a fake passport. In many places a pass

Re:

[Itninja]

...your birth registration, which is public.

How exactly would they get my birth registration? Would they send a request form (and required fee) to every municipality in the my country asking for a copy? Without my birth city, it's really hard to get a copy of that in the US.

With the passport number, it's enough to produce a fake passport...

I don't think so. In addition to my passport number, the forger would also have to know my signature (which is not stored when the RFID is read), and once they knew it,

Re:

[Itninja]

All I can say to that is....yikes. Not sure what the most common name in England is, but in the US it's usually Michael Smith. In England would it still be that easy if it's a common name?

Re:

[wendyg]

Well, several things wrong with it.

1) That is enough information for someone already possessed of the necessary technology to clone a copy of your passport, which could be used to do all sorts of things that would eventually be traced to you.

2) That information would be of great assistance to someone wanting to uncover more information about you, either mechanically (which researchers showed in 2009 SSNs can be reliably derived from your birth date and birth place) or as leverage to acquire other informatio

Current security is inadequate

[cgenman]

For security, credit cards rely upon... nobody who has ever run your credit card being hacked. For security passports rely upon... nobody who has ever recorded your passport being hacked. This is just not secure! By design, this system can *never* adequately secure people's information, because information alone is not secure enough for a transaction.

Options:

Credit cards pass through a Visa or MC controlled layer. Visa or MC then authorize a new single-merchant / single client code combination, which wi

Re:

[mehrotra.akash]

A 2nd piece of information that by agreement can never be stored, but can be used to permanently authorize a particular merchant. For example, the first time you purchased something from Amazon.com, you'd be required to enter your visa password through a visa-controlled interface. Afterwards, Amazon would be allowed to utilize your credit card. This would include recurring billing.

doesnt this already exist in the form of VbV and secure3d??
except in that case you have to enter it for each transaction, and it is used only for Indian sites, foreign sites do not ask for the password.

Re:

[jimicus]

Security in the real world is seldom an absolute.

While you're absolutely correct that there's room for improvement, there will always be fraud. The bad guys aren't going to jack it in and take a respectable job just because you've made their life a little harder. Developing a layer to reduce that fraud costs a lot of money - it's easy to devise a theoretical solution, it's rather harder to ensure it'll work reliably with the millions of card users worldwide without significantly impacting on legitimate t

Re:

[cgenman]

I have been cardjacked recently, my fiancee has been card jacked, and most of our friends have had some degree of card fraud. Anecdotally at least, the problem seems endemic.

And while I agree that security levels cost money and require expensive changes, the security of credit cards was setup to be adequate for single-occurrence swiped transactions. For any sort of stored-on-server permanence, current credit card security is a 1960's solution to a problem that started in 2000. The security of the entire

Re:

[jimicus]

This is exactly why Chip & PIN was rolled out in Europe. The traditional small swipe machines that read and store the magnetic strip become effectively useless.

Re:

[Kalriath]

A 2nd piece of information that by agreement can never be stored, but can be used to permanently authorize a particular merchant. For example, the first time you purchased something from Amazon.com, you'd be required to enter your visa password through a visa-controlled interface. Afterwards, Amazon would be allowed to utilize your credit card. This would include recurring billing.

So, 3DSecure then?

Security of employees

[iONiUM]

In this case, one of the staff members is selling the data off. Really, what's to stop this from occurring in government offices, or anything else? If price-to-gain > possible repercussions, then there is a chance staff will do something like this.

Working as a contractor, I have (many times) had access to very sensitive data. It's interesting how lax companies are with this stuff, and especially the government.. I think this story is just going to repeat again and again for governments, companies, etc (l

Why is your passport # needed to buy a ticket?

[Joe The Dragon]

Why is your passport # needed to buy a ticket?

Re:

[thegarbz]

I believe FIFA uses this to enforce international bans on some of the "special" fans. Think the English team in Euro Trip.

Hmmm

[Dexter Herbivore]

Sounds like someone ate all the pies.

Scalping itself...

[KingAlanI]

Okay, I understand that the data breach is the main point of TFA.
However, the rational economist in me finds it hard to get angry about scalping itself.
Either the lowered initial ticket prices are irrational, or rational in some non-obvious/non-direct manner.

Re:

[John Hasler]

"Never mention the war"