IT firm C-Planet, recently fined €65,000 by the Data Protection Commissioner over a massive leak of voter data, had used the compromised database when handling different projects for “various clients”.
The names of those clients, though blacked out in the redacted copy of the report published by the Information and Data Protection Commissioner (IDPC), were mentioned in open court on Wednesday when Ian Deguara took the witness stand in a joint lawsuit coordinated by The Daphne Caruana Galizia Foundation and Repubblika.
The action is targeting the IT firm over the security breach which resulted in the leak of more than 337,000 voters’ data, including names, surnames, ID card details, phone numbers, addresses and political affiliation, as of 2013.
As soon as the leak was exposed in April 2020, investigations by the IDPC kicked off and an external auditor was engaged to conduct forensic analysis of C-Planet’s server.
The IT firm denied any wrongdoing, insisting that they had always been under the impression that the information consisted of electoral register data, pointing out that the database had been handed to the firm years previously “by a client”.
That client turned out to be Untours and C-Planet explained that they “had simply been instructed to use that file when creating software for them”.
Untours is a travel agency owned by the General Workers' Union.
But when questioned on this matter, Untours had “categorically denied” saying that they had no association with the thousands of records of personal data on the C-Planet database.
Faced with that impasse, the auditor was directed to track any inter-operability between C-Planet’s and Untours systems, but reported back to the IDPC that there was no connection between the two.
Since the onus of proof was placed upon C-Planet and since the company failed to come up with concrete evidence to prove it was not the controller, the natural conclusion was that C-Planet was the controller of the database and hence responsible for the breach, Deguara explained, when questioned extensively by lawyer Antonio Ghio this afternoon.
It also emerged that the data file had been given by a “specific individual” who no longer worked at Untours.
“Did you speak to this individual,” asked the lawyer.
“I don’t know who it is,” replied Deguara, explaining that investigations did not target the person but the company.
Parts of the database had been made accessible to other clients of the IT firm.
Probed further about this and under the express direction of the court, presided over by Mr Justice Francesco Depasquale, the commissioner named one of those clients as the Marsaxlokk local council.
C-Planet had been engaged to generate a report on a “voting document system”.
The IT firm had also confirmed that they had once used the database as a “test data” for a law firm.
Asked to name that law firm, Deguara said that it was “SZA”.
Although investigations spread beyond the compromised database, the law only granted the IDPC power to investigate the controller so he could not go “on a fishing expedition”, explained Deguara, when pressed further.
“So who created the database,” asked Ghio.
“Someone created it. But that was beyond our remit,” came the reply.
The case continues in May.
Lawyer Sarah Cannataci also represented the applicants. Lawyers Franco Galea and Luana Cuschieri represented the respondents.