Developers who designed a Lands Authority website through which sensitive personal data was inadvertently made available online due to a major security flaw have pointed their fingers at the Authority over the breach.
Replying to questions by The Sunday Times of Malta, Webee Ltd said it did not write or design the business application code that was subject to the breach.
A joint investigation by the Times of Malta and Shift News discovered how thousands of documents, including ID cards, entrusted to the Lands Authority, could be searched and downloaded through Google and other search engines.
An internal investigation by the Lands Authority as well as an investigation by the Data Protection Commissioner is under way.
Webee Ltd told The Sunday Times of Malta it only designed the front-end of the website, which was launched last year.
“From thereon, any further software development on either the website or the business application was not under Webee Ltd’s control and was designed by the Lands Authority’s internal software development team,” the company said.
All the work Webee Ltd delivered to the Lands Authority was secure and did not expose any data, the company said.
Asked why data from a government entity appeared to be hosted on a Webee server, the company insisted that the server was owned by the Lands Authority.
“The domain, laapp.webee.com.mt [through which the data was made available online on search engines] was showing because the A record entry pointing to the business application API was initially set on Webee’s DNS,” the company said.
“Webee Ltd has always acted professionally and recommends best practices to all its clients,” the company said.
The Lands Authority on Saturday scrambled to play down the significance of the breach of people’s confidential information. In a statement, the Authority argued that documents submitted to it were covered by a disclaimer allowing them to be made available for public inspection.
The technical flaw identified allowed for this data to be made accessible outside the Lands Authority’s website, the statement said.
Questioned if the Lands Authority had contacted people whose private data had been breached, a spokesman for the Authority said “a breach considered to be of high-risk to the rights and freedoms of the data subjects would require communication.”
Sensitive data handled by government entities is usually stored on servers owned and managed by MITA, the government’s technology arm, for security purposes.
According to the spokesman, the files and information of the Lands Authority are hosted on servers owned by the Authority itself. The spokesman said Webee Ltd had been engaged directly to design its website.
Webee Ltd’s portfolio includes the Labour Party’s website, the Marigold Foundation as well as government entities like the Lands Authority and Identity Malta.
Assassinated journalist Daphne Caruana Galizia had reported last year that Webee Ltd registered a spoof website masquerading as an official site for former Opposition leader Simon Busuttil.
Webee Ltd was used by the government for its 2015 and 2016 budget promotion campaigns, as well as a €34,000 social media campaign promoting Labour’s first four years in government.
The Lands Authority’s website was taken down on Friday, within hours of the Times of Malta flagging the data protection breach to the Data Commissioner.
A spokesman for the Data Commissioner said the “alleged” breach was being investigated. “The Commissioner will take the necessary action in terms of his powers at law to ensure that the fundamental rights and freedoms of data subjects are safeguarded at all times,” the spokesman said.