Data protection specialists threw cold water on the Lands Authority’s assertion that “no confidential information” was leaked and that there were “no data protection concerns”, saying that even if citizens had ticked the box consenting to “public inspection” they had certainly not granted the Authority consent to spread their personal data on Google.
Former president of the Chamber of Advocates Reuben Balzan also called out the Lands Authority’s justification, saying it was “irrelevant”. “The law protects the processing of personal data not confidential data. And processing of ID card data is specifically regulated,” Balzan said.
The massive breach of data by the Lands Authority, exposed on Friday following an investigation by The Shift News and The Times of Malta, showed that more than 10 GB of data, amounting to some 15,000 documents, submitted by citizens to the Authority through its website were being made available on Google from day one of the launch of the ‘new’ web site in April 2017.
Around a third of the documents are identity cards and passports that were openly accessible to anyone who bothered to look. All that was required was a browser and Google. Security experts consulted by The Shift News described this as “massive” and the result of either “crass ignorance or gross negligence“.
Data protection lawyer Michael Zammit Maempel also said that the Authority’s statement to the public, saying that people ticked a box giving consent to the “public inspection” of their applications, did not hold water.
“Lands are trying to justify the leak on the basis that data subjects ticked those boxes, therefore they’ve consented, therefore no big deal that the data can be seen by all. But that’s perverse logic.
That doesn’t justify a leak on this scale.
“By no stretch of the imagination, did those data subjects grant Lands the permission to allow Google to index all that data. Which means that Lands shouldn’t be allowed to justify this incident on the basis of those check boxes, and shouldn’t be allowed to use them as a ‘Get Out of Jail Free’ card,” Zammit Maempel said.
Other data protection experts consulted by The Shift News added that it was particularly concerning to see a public authority point towards consent forms in a thinly veiled effort to brush off data protection concerns.
New EU data protection rules (GDPR) which came into effect this year double down on protection of personal data and the rights of data subjects.
The Data Protection Commissioner is investigating the matter. The Lands Authority also said its “independent chief auditor” was leading its investigation – the Authority’s “independent” auditor is the Labour mayor of Mqabba, appointed to the post at the start of the year at the ripe age of 29 with no particular experience in audit.
Mayor Charlene Muscat was a former reporter at the Labour Party’s news outlet One, and a political campaigner for Justice Minister Owen Bonnici.
The decision to handle and store personal data on what appears to be a private server hosted by Webee Ltd was slammed by the former executive chairman of the Malta Communications Authority, Philip Micallef. He stressed that over the past 10 years the government had invested heavily in beefing up MITA resources including highly secure servers (Tier 3) and equipment, including detailed requirements as regards hosting on government servers and security.
Yet, for some reason, a private company seems to have been entrusted with handling the private data of citizens rather than the more secure option available to the State.
Those filling applications to the Authority thinking their data would be in official hands instead appear to have been sending their data to a private server, handled by other citizens (not civil servants answerable to the people) and outside of the boundaries imposed on MITA.
The company assigned the project, Webee Ltd, told the Times of Malta: “The domain, laapp.webee.com.mt (through which the data was made available online on search engines) was showing because the record entry pointing to the business application API was initially set on Webee’s DNS (domain name server)”.
The separate domain where all private documents including ID cards submitted to the Lands Authority were being stored (http://laapp.webee.com.mt) and could be accessed, now includes an automatic redirect to the Authority’s actual website (http://landsauthority.org.mt).
Although the data had a primitive username and password screen if someone tried to visit files hosted at http://laapp.webee.com.mt, the database was neither secure nor encrypted.
As a simple analogy, consider a library full of books. You have some books that held on shelves that people can look at and pick books off the shelf at leisure. That is the public side of the website.
Then there are private books normally stored under lock and key. If you have the right to look at them you must ask the librarian who will check whether you are authorised, take down your order, open the locked cupboard, find the book and give you only that book. If you are not authorised, don’t know what book you want or act rude, the librarian will throw you out. If you try to barge in and run around the librarian you will be stopped by the locked cupboard.
That is a very simplistic explanation of a private and secure database. This is the norm when dealing with confidential information such as personal data including identity card images and details, financial information, and other information which people would not expect to find online.
In this case, there was a form of librarian (the login screen) but not only was there no lock (or door) but the shelves with the private books was right there in the lobby.
To make matters worse, the website designers allowed Google to index the entire site where these private documents were stored essentially allowing Google to act as the librarian.
The problem lasted until 1am last Saturday, after news of the leak was published by The Shift News and The Times of Malta. But in the year and a half that the problem persisted, anyone could access them and download them.
For example, clicking on this link took you straight to Jeffrey Pullicino Orlando’s ID card: http://laapp.webee.com.mt/content/gla3/82.
It is this basic lack of security and sheer disregard for basic rules of data handling that left security experts consulted by The Shift News stunned.
The government has yet to make a statement on the breach of personal data collected from citizens. The Lands Authority has not yet committed to informing those affected – some 5,000 people – as required by law in case of high risk breaches.