Updated 8.30pm with Authority statement that investigation has been launched - A massive security flaw in the Lands Authority’s website has inadvertently dumped a huge amount of personal data online, a joint investigation by Times of Malta and The Shift News has found.
Identity card details, e-mail correspondence, affidavits and other compromising data were made easily searchable on the internet thanks to the security flaw in the Land Authority’s website.
Times of Malta was able to access over 10 gigbabtyes of personal data from the Lands Authority through a simple Google search.
Much of the data contained highly sensitive correspondence between individuals and the authority.
Chairman not aware of any issues
Contacted for a comment, Lands Authority Chairman Lino Farrugia Sacco said he was not aware of any issues.
Lands Authority CEO James Piscopo did not take calls from the Times of Malta.
An IT expert who spoke to Times of Malta said the security flaws had likely been in place ever since the Land Authority’s inception in early 2017.
The website was taken down within hours of Times of Malta flagging the breach to the Data Protection Commissioner on Friday.
A spokesman for the Commissioner said his office took immediate action and initiated an investigation into this “alleged data breach” with the Lands Authority.
“The Commissioner will take the necessary action in terms of his powers at law to ensure that the fundamental rights and freedoms of data subjects are safeguarded at all times”, the spokesman said.
GDPR regulations feature heavy fines for such breaches
The IT expert who spoke to The Times of Malta said the breach likely occurred as a result of access to private files not being securely locked down.
This flaw allowed search engines like Google to index personal data and allow it to be searched and downloaded.
Lawyer Michael Zammit Maempel said the new general data protection regulation (GDPR) laid down a number of procedures in the case of such breaches.
Dr Zammit Maempel said the Data Commissioner would now need to decide whether he needed to contact each person whose data was compromised to explain the situation and offer them a remedy.
He said the GDPR regulations envision fines of up to €20 million for such breaches.
The Lands Authority could also face individual claims for damages from people whose data had been breached, Dr Zammit Maempel said.
Lands Authority - Investigation has been launched
In a reaction after the data leak was revealed in the media, the Authority said that after it was informed of the 'alleged' breach, immediate action was taken and the website was put offline.
An investigation was promptly launched about the case.