The passport numbers should have been redacted on an official team sheet before it was released to the media and public. Instead, at Alabama's Jordan-Hare Stadium, the document was circulated without sensitive information being obscured. All 11 starters and every substitute were caught up in the breach, which occurred before a match played in front of 88,000 spectators.
Why passport numbers appear on a World Cup team sheet
Under FIFA regulations, teams must provide passport numbers around an hour before a match kicks off. Referees and match officials require that information to verify that the players on the pitch are who the team claims, and that they are eligible to play.
In the past, football teams have been caught fielding fraudulently naturalised players. The passport check is one of the mechanisms designed to catch that before a match rather than afterwards. The passport numbers belong in the information handed to the referee.
Where they do not belong is in the copy handed out to journalists, who typically receive a redacted version instead. In Argentina's case, that step appears to have been skipped entirely.
What leaked passport data can be used for
Passport details are valuable to criminals. They can be used for identity theft, for the forging of travel documents, or simply building a profile of a wealthy target. The Argentinian players can be added to a long list of incidents where organisations believed they had hidden sensitive information, only to discover they had done nothing of the sort.
Other redaction failures
In January 2019, lawyers for former Trump campaign chief Paul Manafort failed to properly redact evidence filed in federal court. Although the documents appeared to contain redactions in the form of rectangular black boxes, the underlying text remained accessible to anyone who copy-pasted the documents' contents. That revealed Manafort had shared Trump polling data with an alleged Russian intelligence associate, and had lied about it to federal investigators.
Later, in 2023, during an antitrust hearing, Sony supplied a document that included confidential details on publisher margins, Call of Duty revenues, and game development costs. Details that Sony did not wish to be shared had been redacted with a black Sharpie marker, but some of them became visible when scanned in.
Most recently, and most worryingly, the US Department of Justice released millions of files related to Jeffrey Epstein in December 2025. Some of those files used superficial black boxes to obscure information while leaving underlying data accessible.
The shared problem behind these leaks
What unites all of these incidents is the same problem. People confuse the appearance of redaction with actual redaction. A black box drawn over text in an electronic document does not necessarily mean that the text can no longer be accessed.
The solution is always the same, whether you are an individual, a company, a government department, or working behind the scenes at the World Cup. Before releasing any document containing sensitive data, verify that the data has actually gone, not just covered up. Otherwise you could be scoring a privacy own-goal, and putting other people's security at risk.
