Privacy own-goal: World Cup blunder leaks Lionel Messi's passport details

According to media reports, a security blunder carelessly leaked the passport details of every player in Argentina's World Cup squad ahead of Tuesday's warm-up friendly against Iceland. And, for once, there wasn't a hacker to blame.

The passport numbers of players, including star Lionel Messi, should have been redacted on an official team sheet before being released to the media and public, but at Alabama's Jordan-Hare Stadium it was circulated without sensitive information being obscured.

All 11 starters on the team as well as the substitutes, were caught up in the breach which occurred before a match played before 88,000 spectators.

But why are passport numbers on a World Cup team sheet at all?

Under FIFA regulations, teams must provide passport numbers around an hour before a match kicks off.

Referees and match officials require the information to verify that the players on the pitch are who the team claims, and that they are eligible to play. In the past, football teams have been caught fielding fraudulently naturalised players, and the passport check is one of the mechanisms designed to catch it before a match rather than afterwards.

So the passport numbers belong in the information handed to the referee.

But where it definitely does not belong is in the copy handed out to journalists, who typically receive a redacted version instead.

In Argentina's case, however, that skip appears to have been skipped entirely.

Passport details are, of course, valuable to criminals as they can be used for identity theft, for the forging of travel documents, or simply building a profile of a wealthy target.

Depressingly, the Argentinian players can be added to the list of incidents where organisations believed that they had hidden sensitive information, only to discover they had done nothing of the sort.

For instance, in January 2019, lawyers for former Trump campaign chief Paul Manafort failed to properly redact evidence filed in federal court.

Although the documents appeared to contain redactions in the form of rectangular black boxes, the underlying text remained accessible to anyone who copy-pasted the docuemnts' contents, revealing that Manafort had shared Trump polling data with an alleged Russian intelligence associate, and had lied about it to federal investigators.

Later, in 2023, during an antitrust hearing, Sony supplied a document that included confidential details on publisher margins, Call of Duty revenues, and game development costs.

Details that Sony did not wish to be shared had been redacted with a black Sharpie marker, but some of them became visible when scanned in.

Most recently, and most worryingly, the US Department of Justice released millions of files related to Jeffrey Epstein in December 2025, some of which used superficial black boxes to obscure information, while leaving underlying data accessible.

What unites all of these incidents is the same problem. People confuse the appearance of redaction with actual redaction.

A black box drawn over text in an electronic document does not necessarily mean that the text can no longer be accessed.

The solution is always the same - whether you are an individual, a company, a government department, or working behind the scenes at the World Cup. Before releasing any document containing sensitive data, verify that the data has actually gone - not just covered up.

Otherwise you could be scoring a privacy own-goal, and putting other people's security at risk.