Three computer science students and their lecturer will be charged in court after they found and exposed security flaws in Malta's largest student application two years ago. 

In October 2022, Michael Debono, Giorgio Grigolo and Luke Bjorn Scerri were arrested after they highlighted vulnerabilities in FreeHour, an app that helps students manage their schedules. 

The students had e-mailed FreeHour to inform the company of the security flaw and requested a reward - or ‘bug bounty’- a common practice in ethical or ‘white hat’ hacking. Instead of a payoff the University of Malta students were arrested, strip-searched and had their computer equipment seized.

The charges accuse Grigolo, Bjon Scerri and Debono of gaining unauthorised access to a computer’s data, software or supporting documentation held in the computer and using, copying or modifying the data, software or document.

The three students and their lecturer Mark Joseph Vella will appear before Magistrate Marse-Ann Farrugia in March 2025.

The trio are also accused of having prevented or obstructed the inputting of data without any authorisation, as well as having obstructed or prevented the use of the computer system or software. 

Vella, a senior lecturer of Computer Science at the University of Malta, is accused of being an accomplice to the students. 

Grigolo is charged separately for the unauthorised output of data, software, or supporting documentation from a computer. He is also charged with having copies of any data, software or supporting documentation in any storage medium other than the original location of the data. 

A fourth student, Luke Collins, who was originally arrested has not been charged.

From left to right: Michael Debono, Luke Bjorn Scerri, Luke Collins and Giorgio Grigolo had told their story to Times of Malta. Photo: Daniel TihnFrom left to right: Michael Debono, Luke Bjorn Scerri, Luke Collins and Giorgio Grigolo had told their story to Times of Malta. Photo: Daniel Tihn

Former book council chair and author Mark Camilleri posted the charge sheet on his blog on Friday. 

The charges were filed by AG lawyers Nathaniel Falzon, and Andreas Vella and inspectors Marcus Cachia and Warren Muscat. 

In a Facebook post, Debono said despite feeling exhausted from the two-year saga, he hopes the case will result in a better climate for cybersecurity.

“It’s crazy that I’ve had to spend almost two years now dealing with the fallout of an incident that should have been resolved over a table in a day with Freehour and the police," he said.

Speaking to Times of Malta, Debono said it is "unbelievable" that their lecturer was charged alongside them. 

He clarified that Collins was not charged because he was not 'actually involved' in the case, but he just signed an email.

Last month Times of Malta reported on how the three students were barred from competing in a European cybersecurity challenge they qualified for last month.

Earlier this week, the Nationalist Party urged the government to resolve the ongoing issues involved in the case. 

Sign up to our free newsletters

Get the best updates straight to your inbox:
Please select at least one mailing list.

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.