An IT firm responsible for a massive leak of voter data has been fined €65,000 for data breaches.
Data Protection Commissioner Ian Deguara issued the administrative penalty against C-Planet It Solutions Limited which was hired by the Labour Party to manage a cache of private information on some 337,384 Maltese voters.
The information was leaked online in April 2020.
Names, addresses, ID card details, phone numbers and the voting intentions of around two-thirds of the population were exposed.
Times of Malta had revealed how the database was an internal list of voters which Labour had codenamed ‘Local Area Network’.
Along with information taken from the confidential electoral register, the list included a field with entries of either ‘1’ or ‘2’ beside each voter.
The entry ‘1’ indicated that the voter is considered a Labour supporter, while ‘2’ indicated that the voter is inclined towards the Nationalist Party.
Labour had later distanced itself from the breach, saying its use of data complied with GDPR rules
The data protection commissioner investigated after a request from Independent election candidate Arnold Cassola.
What did the data commissioner find?
Deguara's investigation established that C-Planet, in its capacity as controller of the information, was processing personal data, that was impacted by the breach, in violation of data protection rules.
The commissioner further concluded that C-Planet failed to take steps to ensure a level of security appropriate to the risk.
This led to the breach, he concluded.
Additionally, the company had failed to notify the personal data breach to the data protection commissioner within the deadline stipulated by law. Nor had it informed victims of the breach that they had been affected.
In the report, the commissioner also confirmed that the database contained a category that identified each voters' political opinion.
Such data is considered especially sensitive under the EU's GDPR directive, and the commissioner concluded that C-Planet had infringed the directive by processing such data "without any valid lawful basis".
Reacting to the commissioner’s finding’s Cassola on Monday said it was proof of how the main political parties breach the public’s privacy.
“We now have it officially that our lives are being spied upon by the big political parties,” he said.
The breach was first announced by the online monitoring service Under The Breach in April 2020.
In a tweet, the service had said that data had been left exposed by a Maltese company.
C-Planet owned by junior minister's brother-in-law
C-Planet It is owned by Philip Farrugia, a former production director at One Productions, the media wing of the Labour party.
Farrugia is also the brother-in-law of Parliamentary Secretary for European Funds Stefan Zrinzo Azzopardi, a former president of the Labour Party.
Soon after news of the breach first broke, C-Planet had said it would not be replying to any questions on what it described as a mishap, insisting the data was “old”.
It later issued a statement through its lawyers, saying the company had “immediately” alerted authorities “upon the notification of the alleged breach”.
“In view of the latter, as you may appreciate, no further information can be divulged as it might hinder the ongoing investigations.”