Lands Leak: False assurances following massive breach of personal data

The Lands Authority has announced there was ‘no breach of confidential information’ from the security flaw on its web site, despite clear evidence published on Friday that people’s identity cards and passports could be sourced online through a simple Google search.

An investigation by The Shift News and the Times of Malta revealed that up to 5,000 individuals could be affected by a massive breach of personal data from the Lands Authority web site as a result of weak to non-existent security measures.

The breach affected those who filed an application with the Authority over the past year and a half.

The Authority is arguing that the documents available online were actually intended for public viewing, because individuals submitting an application online had to give consent that the document would be subject to “public inspection”.

This, the Authority said, was made through “a mandatory check-box” that had to be ticked when submitting the document.

The statement also said this was “required by law” when new rules EU Data Protection rules in force since May (GDPR) neither permit mandatory check boxes (consent needs to be freely given and opt-out boxes are not permitted), nor can rights under GDPR be waived in this manner, data protection lawyers have confirmed.

The breach affected around 1% of the Maltese population, and it has been going on since April, 2017, when the “new” website was set up.

GDPR is often linked to big fines (up to €20,000,000 or 4% of annual global revenue) designed to act as a deterrent for large multinationals but the fines are not the biggest deterrent for government entities.

A fine imposed by the Data Protection Commissioner on the government would go from the left pocket to the right pocket, accordingly the fines are set at a lower tier (up to €50,000 plus €50 per day of breach).

The real deterrent under GDPR for government entities is that those affected can now sue the data controller (in this case the Lands Authority) for a wide range of damages, including distress.

It is not yet known whether the government or the Lands Authority intends notifying affected individuals in accordance with Article 34 of GDPR.

Described by security experts as the result of evident “crass incompetence”, thousands of applicants’ personal information including identity card details, application forms, affidavits and confidential documents and contracts were not only compromised, but accessible through a simple Google search.

People could click on results and download copies of other person’s identity cards as well as internal and external correspondence along with other supporting documents such as contracts, deeds and affidavits.

It was not an “alleged” breach, as official statements have led the public to believe – evidence was published by both The Shift News and The Times of Malta.

Neither was it a mere “security flaw,” according to security experts consulted by The Shift News who said it was “a flagrant disregard of basic security”.

The government pulled the plug on the Lands Authority website at around 11am on Friday, after questions on the breach were sent by the press to the Data Protection Commissioner.

Yet, people’s personal data was still available through a Google search. When The Shift News published the investigation announcing the breach on Friday evening, a link was made available for individuals to check whether they were affected by this breach.

People could actually verify whether their name came up. For example, this hit refers to the Chairman of the Malta Council for Science and Technology Jeffrey Pullicino Orlando’s identity card:

Notwithstanding the self-evident nature of the breach, the government has so far refused to acknowledge the ramifications of the massive breach or take responsibility for the failure.