No one at the Lands Authority is being held responsible for a massive data breach that this week was confirmed by the Data Protection Commissioner.
A spokesman for the authority, which was slapped with a €5,000 fine on Monday after it was found to have infringed General Data Protection Regulations, said that following an internal investigation, it was found that the data breach was a result of a flaw that was designed in-house.
The employee who designed the technical mechanism that caused the flaw has since left the authority, the spokesman said in reply to questions on who should be held responsible.
The spokesman also confirmed that the authority would not be offering those impacted with any compensation.
Instead, the entity is “informing its online applicants that it was found to be in breach of article 32 of the General Data Protection Regulations, in line with the instructions received from the Information and Data Protection Commissioner”.
Asked to explain what this entailed, the spokesman said that there was a “whole process in place” that ensured those impacted were contacted. No replies were forthcoming when this newspaper re-quested further details on the process.
The data breach was a result of a flaw that was designed in-house
On what is being done by the authority to make sure that clients’ personal data was safe and that there would not be any similar breaches in the future, the spokesman said that penetration testing by foreign contractors was being carried out, while hosting has been migrated to MITA, the government’s technology arm, to “mitigate any potential risks”.
Despite it being standard practice for government entities to store sensitive data on servers owned and managed by MITA, when the breach occurred, files and information of the Lands Authority were hosted on servers owned by the authority itself.
On the website, which had been designed by Weebee Ltd in 2017, the spokesman said that a new site has not been designed but it was slightly modified to ensure “the highest level of performance”.
Questions on how much this cost and whether the same developers were engaged also remained unanswered.
The data breach was exposed by the Times of Malta in a joint investigation with The Shift News in November, after a massive flaw in the authority’s website inadvertently dumped a huge amount of data online, with ID cards and e-mail correspondence being made searchable through a simple Google search.