in ,

Citizens still without remedy after massive breach of personal data

Data Commissioner fines Lands Authority €5,000 over security flaws exposed by joint investigation by The Shift News and The Times of Malta.

Lands Authoity leak

The fine of €5,000 imposed by the Data Protection Commissioner on the Lands Authority for a massive breach of citizens’ personal data exposed by a joint investigation by The Shift News and The Times of Malta may seem small but it was actually one of the highest on record in Malta. But is that penalty, effectively payable by the government to itself, enough of a remedy?

Thousands of people were affected by the breach despite the authorities stating no personal data was leaked. Both The Shift News and The Times of Malta have clearly and unequivocally stated that they could access at least 10 gigabytes of personal information (including the ID cards, e-mail correspondence, affidavits and other compromising data of thousands of individuals) through a simple Google search.

That opened up this personal data to all kinds of abuse and also meant the data was, because of its open disclosure on the internet – including at the very least indexing by Google’s servers, transferred outside the EEA.

The Data Protection Commissioner imposed a €5,000 fine on the Lands Authority announced on Monday will effectively be passed from the government’s left pocket to its right pocket.

Yet the victims, the citizens whose rights to privacy were breached, have hardly been informed that they have a remedy let alone provided with one.

evidence personal data breach Lands Dept
A sample of the data that could be accessed on Google search engine as a result of the massive breach of personal data by the Lands Authority.

Each person who uploaded a copy of their identity card and other similar confidential information through the Lands Authority website over more than a year had not only a legitimate expectation that such information uploaded on a supposedly secure government website would actually be kept confidential, but also a legal right to their personal data being safeguarded and processed lawfully. This right was breached – spectacularly.

The Data Protection Commissioner is following the law and the fine reflects the breach’s gravity (up to a few years ago the previous highest fine in Malta was €500). Yet the law also states that those whose data was breached must be informed, including of their right to sue the government. That part of the equation has not happened, compounding the abuse.

Lands Authority penalty
The Lands Authority’s privacy policy

So while the fine seems to have delivered a result, it just resulted in the offender not really suffering any punishment (the fine gets paid by the government to the government) and the victims not being given the chance to hold the authorities to account and not even being informed of their right to a remedy.

The Lands Authority said “it chose” to respect the Commissioner’s decision despite its right to appeal, adding that this conclusion (that no personal data was leaked) was based on the outcome of its internal investigation. The ‘independent’ auditor appointed by the government without a public call was none other than a reporter on the Party’s TV channel, Charlene Muscat, who is the Labour Mayor of the village of Mqabba.

The internal investigation was so ‘thorough’ it is refusing to acknowledge the sheer amount of personal details the Authority made available online for more than a year until the investigation by The Shift News and The Times of Malta alerted them. And they are still refusing to inform those affected, either because they don’t know or because they don’t want to open up the government to potentially millions in damages it would have to pay to citizens.

Their denial comes in the face of ID cards published when the information was available to all on Google – including the ID of the Authority’s ‘independent’ auditor that was among the data dumped on search engines for everyone to access and possibly abuse. Yet there is still no admission that this could have been possible (so we are publishing Charlene Muscat’s suitably redacted ID card to prove the issue is being ignored).

personal data breach Lands Authority

Citizens must be informed if their personal data was compromised by the government, because it was – for thousands of people. They have the right to demand answers from the Authority.

This breach occurred because rather than using MITA – the State facility in which €7 million was invested to hold such sensitive data securely – the government chose to use a young company that pledged its loyalty to Joseph Muscat by compromising the Opposition Leader’s website during the general election.

The company – Webee Ltd – also handles the website for the Labour Party in government and the Prime Minister’s wife’s charity Marigold Foundation, among other clients that include Labour MEP Marlene Mizzi and pro-Muscat Sunday paper Kulhadd.

Despite the massive breach of personal data, the company has faced no sanctions. It blamed the government for the breach, and the government did not contest it. On the contrary, the company was further rewarded with a stream of new contracts.

In short, there has been no accountability and taxpayers continue to be denied their right to know about the availability of a remedy.

Read the investigation:

Massive breach of personal data from Lands Authority website

Government inaction on Pilatus Bank cost taxpayers €345,000

LIBE vote resolution

EP vote condemns Malta’s inaction on corruption, crime and protection of journalists