Breach of privilege
Last Friday, two independent media houses, The Times of Malta and Shift News, revealed that a massive leak of personal data has occurred.
Up to 5,000 persons who for one reason or another had dealings with the Land Authority ended up with their personal details being made public on the authority’s web site because of weak or non-existent security measures.
The breach affected those who had submitted an application to the authority over the past year and a half. People’s identity cards and passports, e-mail correspondence, affidavits and other data could be sourced online through a simple Google search.
In reply, the authority rebutted there was no breach of confidential information from the security flaw on its website. It argued that the documents available on its website were actually intended for public viewing because those individuals who submitted an application online had to give their consent that the document would be subject to ‘public inspection’.
This was done, the authority continued, because the applicants had to tick a mandatory check box when submitting their application. This, the authority said, was ‘required by law’.
In actual fact even this is wrong because according to the new EU Data Protection rules in force since last May (known as GDPR) mandatory check boxes are not allowed, consent needs to be freely given and opt-out boxes are not permitted. Nor can rights under GDPR be waived in this manner.
The website was taken down within hours of the news being broadcast. An investigation was also launched.
But people’s personal data could easily be still accessed through a simple Google search. People could still check to see if their names were mentioned.
Now this is very serious. The law says big breaches of data confidentiality can beget fines of up to €20 million or 4% of annual global revenue in the case of big multinationals. For a smaller body like the Lands Authority, the fine might be in the region of €50,000 plus an additional €50 per day of breach, but in this case it would be money from the authority going to the government.
What can be worse are claims by people whose data confidentiality has been breached who can sue for damages.
An IT expert said the breach quite likely occurred because access to private files was not securely locked down. This flaw, existing since the authority was set up in 2017, allowed search engines like Google to index personal data and allow it to be searched and downloaded.
Experts consulted claimed this was no security flaw but “flagrant disregard of basic security”.
The next day, there was a comic and tragic sequel. It was found out that the person handling the inquiry, according to the Lands Authority statement the day before, the ‘independent chief audit officer’ is none other but the young (29) mayor of Mqabba who was engaged directly by the Lands Authority for this post without applying for the post and despite her lack of experience in the field. This person herself was also affected by the breach for her personal details are available on the compromised website.
The funny thing is that for the past 10 years, Malta has invested heavily in the Malta Information and Technology Agency which spent over €7 million in Tier 3 highly-secure servers and equipment and insisted on detailed requirements as regards hosting on government servers and security in general.
Yet for some obscure reason a small and private company was entrusted with the handling of the private data of citizens, handled by other private citizens instead of being answerable to the people and outside the boundaries imposed by MITA.