Investigation as details of 7,600 companies 'inadvertently' exposed

Malta Tax and Customs Administration launches internal review

Updated 1.45pm with PN reaction 

The tax administration office has launched an internal review after the details of around 7,600 companies were emailed to thousands of recipients by mistake.

In a statement on Thursday, Commissioner for Tax and Customs Joseph Caruana said that during a Malta Tax and Customs Administration routine outbound communication procedure on November 12, a file containing company contact details was "inadvertently" attached to outgoing emails. 

He did not clarify how many companies were involved but Times of Malta understands the details of 7,600 companies were sent out to the tax representatives of each of those companies.

The 7,000 recipients received the company name, registration number, tax number, company status, email address, and phone number. No financial data was disclosed.

The incident took place sometime between 1pm and 3pm.

Caruana said routine outbound communications are normally executed through a secure notification portal, which enables the automated and controlled distribution of bulk notifications to taxpayers and tax practitioners.

"On this occasion, the established workflow was not followed, resulting in a deviation from the standard automated process," the commissioner said in the statement, assuring that the incident did not result from a cyberattack or any form of unauthorised access to government systems.

The MTCA implemented immediate containment actions and initiated a structured review of the technical and procedural workflow.

An internal review was also launched to identify the factors that contributed to the incident and to determine whether any shortcomings warrant appropriate action, he added.

Additional safeguards, validation steps, and oversight controls will be introduced to reinforce process integrity and mitigate the risk of recurrence.

The Information and Data Protection Commissioner was also notified of the incident.

The MTCA said it regretted any inconvenience caused and reaffirmed its commitment to the highest standards of data governance, operational integrity, and accountability across all its functions.

In a statement, the PN described the release of information as "deeply concerning" and said it holds Finance Minister Clyde Caruana responsible. 

"When such a volume of sensitive information ends up in the wrong hands, as has happened in this case, it is not the result of an individual mistake, but evidence of systemic failures in the way data is handled, safeguarded, and managed," it said. 

Sign up to our free newsletters

Get the best updates straight to your inbox:

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.