No comment from ARMS on IT company services linked to massive data leak

Local water and electricity services company ARMS Ltd has refused to divulge information on the nature and level of security of services provided by C-Planet IT Solutions Ltd, the company linked to a massive leak of the personal data of over 300,000 citizens.

The Shift has discovered that the same company was awarded a direct order of €5,900 for services provided to ARMS Ltd last October. The exact nature of the work awarded to the IT company was not specified, referred to as only “professional services”.

C-Planet made headlines last month when the personal details of over 337,000 Maltese citizens, some 75% of Malta’s voting population, were leaked from its database. The details included ID Card numbers, dates of birth and perceived political preferences.

The company is owned by Philip Farrugia, the brother-in-law of Labour MP and former Labour Party President Stefan Zrinzo Azzopardi –  a lawyer whose own client data was spread all over the internet. A law firm is bound by obligations of professional secrecy that impose criminal sanctions on breaches. There has been no sign of action since this information was revealed by The Shift.

C-Planet’s shoddy work, described as “amateurish” by experts, exposed Maltese citizens to risk and led to the Daphne Caruana Foundation taking the lead to file a class action lawsuit.

The direct order given to C-Planet by ARMS Ltd led The Shift to question the nature of the service provided by C-Planet, whether the IT Company had access to the personal details of ARMS Ltd’s clients and whether any measures had been taken to protect data since revelations of the leak. 

ARMS Ltd is a private limited liability company, set up as a joint venture between the Enemalta Corporation (EMC) and the Water Services Corporation (WSC). As such, it holds personal data on every household in Malta. This raised concern on whether the data held by ARMS Ltd had been compromised as a result of its contract with C-Planet.

The company refused to answer questions, citing commercial sensitivity.

The answer given by ARMS Ltd was “strange”, according to an expert in data protection law consulted by The Shift. He pointed out The Shift was not questioning the financial aspects of the agreement. “The questions were related to security measures in the public interest.”

C-Planet also provides IT services to various local councils across the island.

The Information and Data Protection Commissioner had opened an investigation into the incident. This does not offer much consolation to victims of the breach. Over the past seven years, only 30 fines for breaching data laws were issued, ranging from €23.29 to €250, and from €1,000 to €2,000.

The highest fine was €5,000, penalising the Lands Authority in 2019 for a breach of the personal data of more than 5,000 users who made use of its online services. The fine meant that taxpayers had to pay for the mistakes as one government entity fined another. Yet, the government never addressed citizens’ entitlement as victims.

Those affected by the breach were never officially informed of their right to hold government accountable and demand compensation, as is required by law. The government just kept denying the breach, despite the fine from the Data Protection Commissioner.

EU Data Protection rules (GDPR) allow for those affected to claim damages, including distress. The government is also obliged to inform those affected.