PL charge City for alleged breaches of financial rules

LongsightM13 said:
Nope, that is not what happened
They accessed a live account belonging to a current employee
You do know where the ICO is based and how many City season ticket holders work there, don’t you? And how many of them might be on here?
Click to expand...
Not interested in who supposedly works where or who's reading. That kind of line says more about the strength of your argument than mine. On the actual facts > it was never an ICO matter; it was the FA, and they closed their investigation in 2020, citing the age of the allegations and the settlement. No liability was ever accepted, and no court ever ruled. So "the ICO would have ruled X" is the wrong regulator, and "they admitted accessing a live account" is wrong too, because nobody admitted anything. Debate the reported version or don't, but the intimidation routine won't do the work for you.

On the mechanism specifically, every public report points the same way. The people alleged to have accessed the system were FORMER City scouts who had moved to Liverpool. Dave Fallows and Julian Ward are the names reported, alongside others who made the switch in 2012. The Times' account, carried by SI, Goal and the rest, is that City alleged their Scout7 login was used on hundreds of occasions over roughly eight months after those staff left for Liverpool.

That framing matters. The reporting describes ex-City employees using City login access on the Scout7 system after departure, not the compromise of a current City employee's live account by an outside intruder. On the public record, this reads as a retained-credential or leaver-access problem > login details that should have been wiped/removed from the system when those staff left City remained usable, and were allegedly used from the other side. That is exactly the access-control category point made earlier. Credentials live after departure, access not revoked, exploited by people who should no longer have had them.

The granular technical detail (whose account it was, exactly how access persisted, what was reset, and when) was never made public because the matter settled without an admission or court findings. So nobody on a forum can state the mechanism with certainty. But on what is reported, the picture is former-employee access via retained City credentials, not the hacking of a current employee's live account. Anyone asserting the latter as an established fact is going beyond what the sources support.
 
slatskyblue1976 said:
Not interested in who supposedly works where or who's reading. That kind of line says more about the strength of your argument than mine. On the actual facts > it was never an ICO matter; it was the FA, and they closed their investigation in 2020, citing the age of the allegations and the settlement. No liability was ever accepted, and no court ever ruled. So "the ICO would have ruled X" is the wrong regulator, and "they admitted accessing a live account" is wrong too, because nobody admitted anything. Debate the reported version or don't, but the intimidation routine won't do the work for you.

On the mechanism specifically, every public report points the same way. The people alleged to have accessed the system were FORMER City scouts who had moved to Liverpool. Dave Fallows and Julian Ward are the names reported, alongside others who made the switch in 2012. The Times' account, carried by SI, Goal and the rest, is that City alleged their Scout7 login was used on hundreds of occasions over roughly eight months after those staff left for Liverpool.

That framing matters. The reporting describes ex-City employees using City login access on the Scout7 system after departure, not the compromise of a current City employee's live account by an outside intruder. On the public record, this reads as a retained-credential or leaver-access problem > login details that should have been wiped/removed from the system when those staff left City remained usable, and were allegedly used from the other side. That is exactly the access-control category point made earlier. Credentials live after departure, access not revoked, exploited by people who should no longer have had them.

The granular technical detail (whose account it was, exactly how access persisted, what was reset, and when) was never made public because the matter settled without an admission or court findings. So nobody on a forum can state the mechanism with certainty. But on what is reported, the picture is former-employee access via retained City credentials, not the hacking of a current employee's live account. Anyone asserting the latter as an established fact is going beyond what the sources support.
Click to expand...
AI assisted slop and incorrect in too many ways to bother listing
 
LongsightM13 said:
AI assisted slop and incorrect in too many ways to bother listing
Click to expand...
Too many to list usually means "none I can name." If a single fact's wrong, quote it and correct it. The FA isn't the ICO; the settlement contained no admission; and the reporting describes ex-City staff using retained logins. Three facts, all sourced/publicly available. Your move.
 
slatskyblue1976 said:
You're both nearly there, 90% right. But the label "we were in breach of GDPR" is the wrong one. The accurate version is that the City had a weak leavers process, an inadequate Joiners/Movers/Leavers process. That left credentials live after a staff member had left, and they exploited the resulting access gap. That's the access control/RBAC failing. This is why we settled; if it went to the ICO, they would have probably ruled "inadequate access control"
Click to expand...
What pisses me off is that around that time the dippers built a really good side, and since then have done some very poor business in the transfer market by comparison - suggesting that they did well out of it.
Admittedly I may be adding 2+2 and making 5 but who can say for sure?
 
The ICO was made aware and passed it to their criminal investigation team but they eventually decided not to pursue it further for similar reasons as the FA

Football clubs, like members of the royal family, are famously generous and happy to give away seven-figure sums even if they’ve done nothing untoward whatsoever

Even a basic 10 second Google search throws up references to then-existing City staff member Rob Newman’s account being the one accessed. I guess AI missed that for you
 
Mazzarelli's Swiss Cheese said:
What pisses me off is that around that time the dippers built a really good side, and since then have done some very poor business in the transfer market by comparison - suggesting that they did well out of it.
Admittedly I may be adding 2+2 and making 5 but who can say for sure?
Click to expand...
2+2=5 is doing some heavy lifting there, but I won't pretend I haven't done the same maths after a few pints. The honest version is we'll never know how much it helped them, because it settled with no admission, and the recruitment that followed could just as easily be down to Edwards(I doubt this) being good at his job. Either way, "their best years coincided with reading our homework" is a fun theory to float. I'm more frustrated that we didn't remove their credentials, have active reporting for privileged access/accounts, and that it wasn't being reviewed on a regular basis.
 
LongsightM13 said:
The ICO was made aware and passed it to their criminal investigation team but they eventually decided not to pursue it further for similar reasons as the FA

Football clubs, like members of the royal family, are famously generous and happy to give away seven-figure sums even if they’ve done nothing untoward whatsoever

Even a basic 10 second Google search throws up references to then-existing City staff member Rob Newman’s account being the one accessed. I guess AI missed that for you
Click to expand...
It would have continued for much longer had it not been discovered that ‘Rob’ had apparently logged in, when it was not possible as he was in a completely different location.
 
LongsightM13 said:
The ICO was made aware and passed it to their criminal investigation team but they eventually decided not to pursue it further for similar reasons as the FA

Football clubs, like members of the royal family, are famously generous and happy to give away seven-figure sums even if they’ve done nothing untoward whatsoever

Even a basic 10 second Google search throws up references to then-existing City staff member Rob Newman’s account being the one accessed. I guess AI missed that for you
Click to expand...
Not conceding. Whether it's Newman's account or anyone else's, the issue is the same, a privileged Scout7 account was used hundreds of times over eight months, and we didn't spot it until we paid for forensics. No login alerting, no IP monitoring, no review of privileged access. Newman's account being the one used proves my point; it doesn't dent it.

I'm not excusing Fallows, Ward or Edwards either; they're at fault. But two things can be true. They did wrong (credential theft and re-use of said credentials), and we left the door (WIDE) open and weren't watching it.

On the ICO point you made, I didn't need to go there, but I will now. What's reported is Damian Collins saying in 2019 there "could be grounds" for the ICO to look, an MP floating it, not the ICO opening and dropping a criminal case. Only the FA is confirmed to have investigated and closed. Got a source for the ICO bit? Please post it.
 
Last edited by a moderator:
slatskyblue1976 said:
Too many to list usually means "none I can name." If a single fact's wrong, quote it and correct it. The FA isn't the ICO; the settlement contained no admission; and the reporting describes ex-City staff using retained logins. Three facts, all sourced/publicly available. Your move.
Click to expand...
They didn’t use ‘their’ retained log in details, they illicitly used the details of their former colleague Rob Newman; Rob was still employed at City at the time, hence the illicit access wasn’t noticed for some time. It was only discovered when Rob supposedly logged in, when it was not actually possible for Rob to log in as he was in another location
 
levets said:
They didn’t use ‘their’ retained log in details, they illicitly used the details of their former colleague Rob Newman; Rob was still employed at City at the time, hence the illicit access wasn’t noticed for some time. It was only discovered when Rob supposedly logged in, when it was not actually possible for Rob to log in as he was in another location
Click to expand...
This has been my point all along. Credential theft/multiple misuses, poor cyber hygiene (reporting on privileged accounts). Your point about geolocation, two IPs. Then, no MFA, and no account reviews, or key supplier (Scout7), saying we believe/we have seen some suspicious behaviour, he has two active sessions, both in the North West, but one in Liverpool, and one in Manchester.
 
slatskyblue1976 said:
This has been my point all along. Credential theft/multiple misuses, poor cyber hygiene (reporting on privileged accounts). Your point about geolocation, two IPs. Then, no MFA, and no account reviews, or key supplier (Scout7), saying we believe/we have seen some suspicious behaviour, he has two active sessions, both in the North West, but one in Liverpool, and one in Manchester.
Click to expand...
No your point all along has been that they used their own logins after leaving the club. You’re now shifting the goalposts
What a weird hill you chose after about 10years of inactivity
 
LongsightM13 said:
No your point all along has been that they used their own logins after leaving the club. You’re now shifting the goalposts
What a weird hill you chose after about 10years of inactivity
Click to expand...
Access controls were poor, cyber monitoring was poor, and SaaS supplier oversight was non-existent. We can go round on the mechanism all day, but it boils down to this. They were at fault for accessing the system, and we were responsible for the gaps I've described that allowed it to run undetected for 8 months. Two things, both true. That's been my point throughout.

Regarding the 10 years, I'm a lurker, or is that not allowed? I didn't realise I needed a minimum of 10 comments per day to be allowed on the forum, and be like you with over 30k, lesson noted.

Enjoy the rest of your bank holiday, I'm off to enjoy mine.
 
deano ou812 said:
I wouldn’t be surprised when we get the release of the 115 outcome,that a few months maybe a year down the line they’ll come up with something else to throw at us ..
Click to expand...
Yep can see it coming a mile off. Depends a lot on if we continue to hoover up trophies though. If we drop off significantly they’ll probably shut up
 
When we are publicly declared to have been exonerated, hopefully over the next week or two (well I can dream about timescales can’t I?), it will feel like a title win.
I have the receipts to post on Twitter. I can’t wait.

It’s coming and when it gets here the wait will have been more than worth it
 
slatskyblue1976 said:
Too many to list usually means "none I can name." If a single fact's wrong, quote it and correct it. The FA isn't the ICO; the settlement contained no admission; and the reporting describes ex-City staff using retained logins. Three facts, all sourced/publicly available. Your move.
Click to expand...
If you're claiming to state facts, it helps to get your those right. They used Rob Newman's account, who was still at City then.

It was potentially an offence under the Computer Misuse Act. There are 3 levels of offence under that act:
  1. Unauthorised access to data.
  2. Stealing (i.e. downloading) data you accessed in an unauthorised way.
  3. Altering data (i.e. changing or deleting it).
It should have been a matter for Greater Manchester Police.
 
Last edited:
Prestwich_Blue said:
If you're claiming to state facts, it helps to get your those right. They used Rob Newman's account, who was still at City then.

It was potentially an offence under the Compiter Misuse Act. There are 3 levels of offence under that act:
  1. Unauthorised access to data.
  2. Stealing (i.e. downloading) data you accessed in an unauthorised way.
  3. Altering data (i.e. changing or deleting it).
It should have been a matter for Greater Manchester Police.
Click to expand...
It , I’m sure, would have been a PL rule broken as well - one of the conduct ones
 
Cba reading is there any latest update to all these charges or a verdict at any point this century?
 
You must log in or register to reply here.
Unread Posts

Don't have an account? Register now and see fewer ads!

SIGN UP
Back
Top