Lands Authority clients’ data was meant to be moved to secure Malta Information Technology Agency servers but the migration had not happened when a basic security flaw was flagged last month, Times of Malta has learnt.

The Times of Malta and Shift News reported last month that personal data was searchable online because of a basic security flaw in the government entity’s website design. IT experts did not exclude the possibility that the flaw had likely already been there when the Lands Department successor was set up last year.

Over 10 gigabytes of data, including ID cards, passports and e-mail correspondence, was made available to anyone carrying out a simple Google search. The data protection watchdog is investigating the breach and the lands regulator website has been offline for a month.

A source familiar with the Lands Authority said the decision to use servers hosted by third parties was made to expedite the setting up of the website last year. The intention was to migrate the data to secure MITA servers, as per normal government practices.

Contacted by Times of Malta, a spokesman for the authority refused to say why the migration never took place, citing ongoing investigations by the data protection watchdog.

Website developers point fingers at Lands Authority

Asked about the planned migration, Nationalist MP Ryan Callus, who sits on the Lands Authority board, said they had been informed about the intention to transfer the data to MITA servers. He said he did not know whether the transfer had eventually been completed before or after the breach, adding he had not been involved in the initial decision to use a third-party service for data storage.

Website developers who designed the website have pointed their fingers at the Lands Authority over the security flaw

Webee Ltd, who also designed the Labour Party’s website, said last month it did not write or design the business application code that was subject to the breach. The company had told The Sunday Times of Malta it only designed the front-end of the website, which was launched last year. 

“From there on, any further software development on either the website or the business application was not under Webee Ltd’s control and was designed by the Lands Authority’s internal software development team,” the company said.

All the work Webee Ltd delivered to the Lands Authority was secure and did not expose any data, the company insisted.