According to media reports, a security error leaked the passport information of all the players in the Argentina team that will play in the World Cup before the friendly match against Iceland on Tuesday. And, for once, there was no hacker to blame.
The pass numbers of players including superstar Lionel Messi had to be redacted on the official team sheet before being released to the media and the public, but at Alabama’s Jordan-Hare Stadium they were distributed without sensitive information being hidden.
All 11 players who started the team as well as those who came in as substitutes, were caught in the crossfire that happened before the game played in front of 88,000 spectators.
But why are pass numbers on the World Cup team sheet at all?
Under FIFA rules, teams must hand over passport numbers about an hour before the match starts.
Referees and match officials need information to ensure that the players on the pitch are the ones the team wants, and that they are fit to play. In the past, football teams have been caught cheating on natural players, and the pass check is one of the methods designed to catch before the game rather than after.
So the pass numbers are in the information provided by the referee.
But where it’s missing is in the copy given to reporters, who often get a redacted version.
In the case of Argentina, however, that omission appears to have been completely overruled.
Passport details are, of course, valuable to criminals as they can be used to steal identities, forge travel documents, or simply create a profile of a wealthy individual.
Sadly, Argentine players can be added to the list of incidents where organizations believe they have hidden sensitive information, only to find out they did nothing of the sort.
For example, in January 2019, attorneys for former Trump campaign chief Paul Manafort failed to properly prepare evidence filed in federal court.
Although the documents appeared to contain redacted material in the form of rectangular black boxes, the subtext has been available to whoever copied the contents of the documents, revealing that Manafort shared Trump’s voting information with an alleged Russian intelligence associate, and lied about it to federal investigators.
Later, in 2023, during an antitrust hearing, Sony provided a document that included confidential information on publishers’ margins, Call of Duty revenue, and game development costs.
Details that Sony did not wish to share were redrawed with a black Sharpie marker, but some of them were visible when scanned in.
Recently, and more worryingly, the US Department of Justice released millions of files related to Jeffrey Epstein in December 2025, some of which used external black boxes to hide information, while leaving the underlying data accessible.
What unites all these cases is the same problem. People are confused appearance of restructuring with real restructuring.
A black box drawn over text in an electronic document does not necessarily mean that the text will no longer be accessible.
The solution is always the same – whether you are an individual, a company, a government department, or working undercover at the World Cup. Before removing any document that contains sensitive data, verify that the data is contained actually go – not just covered.
Otherwise you can become your own privacy policy, and put other people’s safety at risk.
