An IT company official admitted in court on Wednesday that he initially thought that a report about a data leak from his company was an April Fools joke.
The data leak from local IT firm C-Planet was revealed by Times of Malta on April 1 last year.
Network Security Engineer, Lorenzo De Rita, was testifying in an action for damages filed jointly by more than 620 people after the personal data of more than 337,000 voters was leaked in the security breach.
The company had explained that the leak was a mishap involving “old” data which included names, surnames, ID card details, phone numbers and addresses of voters.
The owner of C-Planet IT Solutions was Philip Farrugia, who previously worked with the Labour Party’s media wing.
De Rita, who worked with the company for the past four years and was tasked with sales and customer support, testified that he had no involvement in the data leak since it was not part of his work project.
Facing questions by one of the applicants’ lawyers, Antonio Ghio, the witness said that he was not involved in any internal discussion after the incident.
He said he had forwarded a media report on the data leak to one of his work colleagues, thinking that it was some kind of April Fools joke, since the story made the headlines on April 1, 2020.
He had then asked Philip about it but got no information, the witness explained.
Shown a screenshot from the leaked data, De Rita said he could not recognize any of the clients he serviced on that list, whilst adding that his work focused mainly on providing desk support to local councils.
As for privacy policies and procedures existing within the firm, the witness said that they followed GDPR rules and governance guidelines, adding that he would have to confirm when that document was last updated.
Daniel Schembri, a programmer and former IT administrator, working at C-Planet for the past 11 years, testified that he had been working on a project on the SQL database, whereby inputting a ID card number would return details of the holder’s name and address.
That was before GDPR, the EU General Data Protection Regulation and the witness could not recall the particular client.
However, Schembri did recall that the project had formed part of a “bigger programme” tailored for use in issuing clients’ bills.
“But I don’t recall who the particular client was,” said the programmer, directing similar questions to “Philip,” his direct superior.
Earlier in the sitting, Chief Electoral Commissioner Joseph Camilleri explained the process whereby copies of LOPEV (List Of Persons Entitled To Vote) are handed out to delegates of political parties for election purposes.
Old versions of those lists were stored in the Electoral Commission’s system and only the electoral office had access to that data.
Asked whether the data was handed to the party or its delegates, Camilleri said that party delegates were those acknowledged by the Commission, adding that he would have to verify the manner of transmission since he was not in office in 2013, the date of the lists in question.
Certain data was accessible to particular members of the Commission but not others.
Under further questioning by C-Planet lawyer, Franco Galea, Camilleri explained that today there was an IT officer responsible for releasing data from the system.
The Commission’s primary source of data was Identity Malta.
An application for an ID card triggered an application for the right to vote which, in turn, is evaluated by the Commission in respect of general, MEP and local council elections, explained the Chief Commissioner.
Although the Electoral Commission system was directly linked to ID Malta’s address management system, currently the Commission was undertaking an exercise to verify street names.
Once that check is complete, locality by locality, ID Malta is “locked out to avoid dual persons working on the system,” Camilleri explained.
Consulting documents at hand, Camilleri said that the media report about the alleged data leak had sparked an investigation by the Electoral Commission that requested guidance from the Information and Data Protection Commissioner.
The case, presided over by Mr Justice Francesco Depasquale, continues in October.
Lawyers Antonio Ghio, Sarah Cannataci, Michael Zammit Maempel, Carl Grech and Deo Falzon represent the applicants.