While Malta is effectively on lockdown, Malta’s personal data clearly is not. And fingers are now pointing at Parliamentary Secretary for EU Funds Stefan Zrinzo Azzopardi and his brother-in-law, Philip Farrugia.
Internet users realised this week that an ordinary Google search enabled users to access the backend of Zrinzo Azzopardi’s former law firm’s (SZA Law Firm, now rebranded 360 Legal) practice management system, bypassing any login screens or passwords.
Users discovered that they could access the law firm’s complete client list, details of pending bills, confidential client meeting notes and jobs, as well as the law firm’s financial details by merely clicking on Google search hits.
This latest data breach follows the online leaking of over 337,000 Maltese citizens’ personal details including their ID Card numbers, dates of birth and what appears to be their political preferences by C-Planet IT Solutions – the IT company of Zrinzo Azzopardi’s brother-in-law.
A day after the Information and Data Protection Commissioner confirmed that it has opened an investigation into the incident, the Labour Party issued a dubious denial claiming this was not its database, potentially throwing C-Planet under the bus.
The Daphne Foundation has released an online tool for Maltese citizens to check whether they were affected by the massive breach.
C-Planet IT Solutions is both a client of the law firm as well as its main IT service provider, designing both its websites as well as bespoke software systems.
Described by security experts consulted by The Shift as ‘amateurish’, these bespoke software systems failed to offer even the most basic security, as internet users accidentally discovered.
With a simple click on a Google search hit, a user was provided with a 111-page list of all the law firm’s clients including their ID card numbers.
Another hit showed all pending legal bills due to the law firm including confidential details of jobs done for each client and meetings held.
Worse, in case the complete client lists and other highly confidential data indexed wasn’t enough, two clicks in, unauthorised users could get an unencrypted list of all the law firm’s usernames and passwords.
With these details a malicious user would have complete control of the law firm’s entire online system, offering access to yet more highly confidential information.
It is not known how long the data security breach has been ongoing.
Security experts consulted by The Shift note that, just like with Lands Leak, the security flaw is a particularly basic one which would point to it being there since the online database was created, potentially going back years. And just as with Lands Leak, Google’s indexing only served to spotlight (and ease access to) the very basic flaw that was already there.
Breaches of data protection laws (notably the EU General Data Protection Regulation or GDPR) including the duty to implement security measures, carry hefty fines of up to €20 million or 4% of the annual worldwide turnover of the violator.
Additionally, lawyers such as Zrinzo Azzopardi and the law firm are bound by obligations of professional secrecy that impose criminal sanctions on breaches.
The law firm’s system has since been taken offline but the list of pending bills and other “hits” are still available in search engine caches.
A glimpse into Zrinzo Azzopardi’s direct orders
While Zrinzo Azzopardi, an MP, purportedly resigned as a partner of the law firm in January upon his appointment to Cabinet, the leaked data reveals the extent of the law firm’s reliance on government-linked work, key lobbyists and Labour Party donors as well as the Party itself.
The list of clients includes the Office of the Prime Minister, Central Procurement Services Unit, ARMS, most Ministries – including Health, Infrastructure, and Home Affairs – the Lands Authority, local councils, the Foundation for Social Welfare Services, Malta Business Registry, and the Malta Gaming Authority. Services described range from drafting laws to legal advice or representation.
Zrinzo Azzopardi also appears to have offered his services not only to key lobbyists and donors such as construction behemoths Elbros and Tal-Magħtab Construction or fish farming companies such as AJD Tuna (Azzopardi Fisheries), but also to well-connected companies such as golden passports concessionaire Henley & Partners, or James Fenech’s Fieldsports Ltd.
The client list also includes a fair number of Labour Party clubs as well as the Labour Party itself through its General Secretary.