The man involved in a massive data breach at the Lands Authority revealed last year, where the personal data of up to 5,000 people was negligently made public, has moved on to greener pastures and is now handling data and information security at the Malta Financial Services Authority (MFSA), the financial regulator, while the public has received no compensation or even an apology.
Anyone who had filed an application with the Lands Authority in 2017 and 2018 risked having his personal data, including identity cards and passports, publicly available on Google after a massive breach from the Authority’s website, a joint investigation by The Shift and The Times of Malta had revealed.
Keith Mintoff, one of the Labour Party’s ‘young stars’ in the campaign for the 2013 general elections that saw the Party take power, was identified in a report tabled in parliament as being centrally involved in the breach.
The Shift can now confirm that Mintoff has moved on to a senior position at the MFSA, again handling sensitive data at the Authority’s Data Management and Business Intelligence Unit, despite his part in the breach at the Lands Authority.
After the press exposed the fact that the personal data of thousands of citizens could have been available to search engines for more than a year, an internal report was commissioned and tabled in parliament on the assessment in relation to the breach. It states:
“At the beginning of December 2017, Carlo Mifsud, who then occupied the post of CEO at the Lands Authority, requested Keith Mintoff, Senior Manager (Technology)… to develop a status page, in order to enable applicants to track their applications and to ensure that the general public gains visibility of applications and enquiries related to public land. Mintoff informed Mifsud and Mario Borg, who then occupied the post of Senior Manager (Business Development and Estate Management), that the status page was created on the 9 December 2017. Mintoff was then requested to create a details page as well, in order to enable the general public to also view the documents that were uploaded in support of the various applications. The investigation team was informed that the details page was created by the end of December 2017. Through the creation of these pages, anyone wishing to view documents related to a particular application or parcel of land could run a search, click on the particular application one wished to view, and access all documents that the applicant would have uploaded in support of the particular application.”
The problem is that those details, related to forms that required applicants to upload Identity Cards, passports and personal addresses, were not secured and led to them being visible to and indexed by search engines for the world to see and download at leisure until the press revealed the breach (see sample below of personal data that could be seen on the internet at the time).
The report also includes copies of internal correspondence within Lands Authority following The Shift’s and the Times of Malta’s reports on the breach. On 21 February 2018, Mintoff was urgently requested to “close with immediate effect the details screen of applications where we see everything”.
Subsequently, the entire Lands Authority website was taken offline and Google appears to have been requested to urgently suspend any search results from that website and Webee’s hosting site. However, the damage was done.
Rather than using MITA – the State facility in which €7 million was invested to hold such sensitive data securely – the government chose to use a young company that pledged its loyalty to Joseph Muscat by compromising the Opposition Leader’s website during the 2017 general election. The company – Webee Ltd – also handled the website for the Labour Party in government and the Prime Minister’s wife’s charity Marigold Foundation, among other clients that included former Labour MEP Marlene Mizzi and pro-Muscat Sunday paper Kulħadd.
The Lands Authority data breach was described by security experts as the result of “massive incompetence or gross negligence”. Experts queried whether the people involved had any relevant experience or qualifications in web security at all. Yet, Mintoff was then given the post of Senior Manager at the MFSA’s Data Management and Business Intelligence Unit.
Despite the evidence, the Lands Authority had announced there was “no breach of confidential information” from the security flaw on its website, facetiously claiming that the documents available online were actually intended for public viewing. They claimed that individuals submitting an application online had to give consent that the document would be subject to “public inspection”.
Lawyers and data protection specialists had said the argument was “irrelevant” and that the consent given was not for the leak of their personal data on such a massive scale. The Lands Authority also failed to inform those affected, as required by law in case of high-risk breaches.
Every individual who had uploaded a copy of an Identity Card and other similar confidential information through the Lands Authority website over more than a year had not only a legitimate expectation that such information uploaded on a supposedly secure government website would actually be kept confidential but also a legal right to their personal data being safeguarded and processed lawfully.
The law also states that those whose data was breached must be informed, including their right to sue the government. That part of the equation has not happened, compounding the abuse.
A month after the breach was revealed, the Information and Data Protection Commissioner had confirmed the breach and imposed a €5,000 fine on the Lands Authority – a fee that is paid by taxpayer money.
So while the imposition of a fine confirmed that the Lands Authority had breached data protection laws, it just resulted in the offender not really suffering any punishment (the fine gets paid by the government to the government) and the victims were not given the chance to hold the authorities to account. They were not even informed of their right to a remedy.
Minister Ian Borg, then responsible for the Lands Authority, gave no apology for the breach and played down the incident.