Massive breach of personal data from Lands Authority website

At a Glance:

Over 5,000 Lands Authority online services users’ personal details including Maltese identity cards, passports and confidential documents spread online.
Security experts consulted by The Shift News call this “the biggest data breach in Malta” resulting from gross negligence or crass incompetence.
EU Data Protection rules in force since May 2018 (GDPR) means the Lands Authority is potentially exposed to hefty fines by the Data Protection Commissioner, as well as exposure to claims from affected individuals for damages.

Anyone who has filed an application with the Lands Authority over the past year and a half could have personal details, including identity cards and passports, available on Google after a massive breach from the Authority’s website that could affect up to 5,000 people, a joint investigation by The Shift News in collaboration with the Times of Malta can reveal.

All documents uploaded by users through the website’s online system for applications for the past year and a half were not stored securely. An informed estimate by The Shift News shows that upward of 5,000 users may have their scans of identification documents, signed application forms and all supporting documents compromised.

Anyone could search through these documents and download copies of identity cards and passports with little more than an internet browser using Google or other search engines.

If you wish to check whether you have been affected, you may search your name here.

Those affected by this breach can sue the data controller (in this case the Lands Authority) for damages, including distress.

New EU Data Protection rules in force since May (GDPR) means the Lands Authority is potentially exposed to fines of up to €20 million by the Data Protection Commissioner (if action is taken), as well as exposure to claims from affected individuals for damages including distress.

Security experts contacted by the The Shift News described the breach as the result of “massive incompetence or gross negligence”. Google was allowed to index the entire database of documents uploaded by users.

On 23 September 2017, Infrastructure Minister Ian Borg held a press conference commending the Lands Authority’s new website and online system of applications noting that this will facilitate the application process “while strengthening transparency in governmental departments”.

Those assigned the project took “transparency” to a whole new level. The website was designed by a small outfit called Webee Ltd and, somewhat curiously, hosted by that same firm rather than more secure MITA servers and systems despite its handling of a large amount of personal data from citizens having to submit forms to the Lands Authority.

Web programmers and security experts contacted by The Shift News expressed shock at the scale of the breach and the evident crass incompetence involved.

The breach is a result of something so basic (storing sensitive personal data on an unsecured database and also allowing Google to index the entire database) that experts queried whether the people involved had any relevant experience or qualifications in web security at all.

Given that the database is not secured, any person can take the public links (URLs) from Google and by changing a digit here and there download documents straight from the Lands Authority database.

The web site was taken down on Friday afternoon, but given that Google will retain indexed documents for a period of time, documents remain searchable.