South Wales Police is investigating a potentially significant data breach after financial details of more than “a hundred clubs” belonging to the Football Association of Wales entered the public domain.
It's claimed the sort codes, account numbers, card numbers, expiry dates and security codes of clubs who entered the FAW Amateur Trophy during the 2017/18 season were found to be in the file.
The Football Association of Wales has not explained how the file ended up in the hands of members of the public although they have said they take security and data protection very seriously.
ITV Wales has shown the Information Commissioner’s Office the evidence we uncovered during our investigation.
The ICO, the body that regulates data protection in the UK, said: “This incident raises some concerns and we will be making enquiries.”
South Wales Police have confirmed they are investigating an alleged data breach while ITV Wales understands the financial details of around 150 clubs were found within the file which is now in the possession of investigators.
A record 162 teams from across Wales entered the FAW Amateur Trophy in 2017.
The cup is a knockout competition contested by clubs in the lower tiers of the Welsh football pyramid system. During the 2017/18 season, Conwy Borough lifted the trophy beating Rhos Aelwyd FC in the final, which was held in Broughton.
Brian Cullen was secretary of West End Rangers during the 2017/18 season.
The Swansea Senior League club did not have a bank account so Mr Cullen gave his own financial details to the FAW to ensure the club's entry into the competition.
Mr Cullen says he received a phone call warning him his financial details were within a file which was now in the public domain.
“I just couldn't believe it,” he said.
“I filled that form in in good faith thinking it was going to a massive body, which the FAW are. I find it mind-boggling that my data was out in the public domain.
“It could have been catastrophic. Thankfully, I’ve gone back through my accounts and nothing has been taken. But, if it had fallen into the wrong hands, who knows?
“I honestly thought the data would have been put into a database or shredded.”
John Cornelius is the Chairman of the Swansea Senior Football League, he said he was shown the file which included financial details of Ragged School FC, a club he was secretary of during the 2017/18 season.
Mr Cornelius says he informed South Wales Police after witnessing details of “over a hundred clubs”.
Mr Cornelius described the financial information that appeared in the file.
“Exactly my bank details and everything else relating to me from a cheque I paid to the Welsh FA while I was secretary of Ragged School FC,” he said.
Mr Cornelius says he informed the FAW as soon as he became aware of the existence of the data file.
“I sent two letters to the Welsh FA and informed Chief Executive Noel Mooney of the data breach. I offered to bring this file to Noel Mooney.”
The FAW say they were informed in March of this year of a potential data breach but after an investigation found there was no evidence to suggest that a breach had occurred and so they did not inform the Information Commissioner's Office.
The Chief Executive of the FAW, Noel Mooney, was approached for comment but declined our offer of an interview.
Analysis by Dean Thomas-Welch, Senior Correspondent
For almost three months I have investigated claims the financial and personal details of football representatives and clubs that entered the FAW Trophy during the 2017/18 season had entered the public domain.
I was approached by the memorabilia collector who made clear their intention to remain anonymous. They alerted me to the existence of the data file after learning of my position as a volunteer chairman of a football club which plays within the Swansea Senior League.
The FAW say they have a process in place for confidential information that ensures it is destroyed securely although it is unclear in this instance how bank details of some Welsh football clubs were acquired by a member of the public.
Brian Cullen says he is disappointed he has not yet been contacted by the FAW.
He said: “They’ve known for months and nobody from the FAW has contacted me…at all…which I find mind-boggling as well.
“I’ve been on the committee with West End for 27 years and this is the worst thing I’ve ever seen in football.”
During our investigation, ITV Wales was also shown a large number of artefacts that had belonged to the FAW which, it’s claimed, were put up for sale online.
ITV Wales has seen medical equipment, international shirts, souvenir plates and coins from international football associations as well as pictures of former manager Chris Coleman and his family which our source says they purchased from eBay.
Included in the collection that ITV Wales saw was:
A commemorative plate from the Bulgarian FA given to Wales on the 11th of October 2011
A commemorative coin from the Bosnia-Herzegovin FA given to Wales the night they qualified for Euro 2016
A commemorative plate from the Dutch FA from a friendly played on the 4th of June 2014
The FAW say how they dispose of memorabilia is a matter for the association, although they have not confirmed how the memorabilia found its way onto the open market.
Jeff Evans is a senior life member of the Swansea Senior League committee. He said he was disappointed to see so much Welsh football history for sale online.
“I was absolutely astonished,” he told ITV Wales.
“A lot of clubs are struggling and if the Welsh FA had anything about them they would have told clubs to come up there, take away the memorabilia, auction them and raffle them, so each club in Wales could have made money."
He added: “Personally, I think heads should roll. I think we deserve answers as a league and as an association. Hopefully speaking out will bring this out into the open.”
A spokesperson from the FAW said: “We initially investigated this matter following receipt of correspondence alleging a potential data breach in accordance with its data protection policies and its obligations under data protection legislation.
"These investigations established there was no evidence to suggest that a data breach had occurred. Having reviewed this position following receipt of redacted documentation from ITV Wales, whilst it is not clear where the documentation has been obtained from, the FAW will proactively inform the ICO that a data breach may have occurred in relation to this one document."
An ICO spokesperson said: “People have the right to expect that all organisations handling personal data should do so safely and securely.
"If anyone has concerns about how their data has been handled, they can report these concerns to us.
“An organisation must self-assess and conclude if a breach should be reported to the ICO. This incident raises some concerns and we will be making enquiries."