A “security vulnerability” identified on the Ombudsman’s website allowed potential attackers to view complaints submitted by citizens.

The vulnerability was flagged by the Daphne Caruana Galizia Foundation earlier this month.

In a letter to the Information and Data Protection Commissioner (IDPC), foundation director Matthew Caruana Galizia flagged how the vulnerability allowed for attackers to see the description or title of the complaint, the time it was submitted, the URL associated with that complaint and the username of the person submitting it.

In most cases, the username is so close to the complainant’s real name, and sometimes even contains their year of birth, that combined with the information in the complaint description, the attacker is able to conclusively determine the complainant’s real identity, Mr Caruana Galizia said.

Privacy expectations of users are the highest possible

The foundation director also raised alarm about the fact that the Ombudsman’s website was hosted on a private server, meaning it was not subject to the same security controls as government websites.

“For a service as crucial as that of the Ombudsman, where the security and privacy expectations of users are the highest possible, this is an unacceptable security risk,” Mr Caruana Galizia wrote.

Mr Caruana Galizia told Times of Malta that after he flagged the vulnerability, both the IDPC and Ombudsman’s office took action to have the leak plugged almost immediately.

He said the investigation must now uncover how this vulnerability came to exist in the first place and whether anyone in government knew about the vulnerability.

Times of Malta independently confirmed that the vulnerability allowed these private complaints to be viewed. It was able to see the nature of the complaints submitted to the Ombudsman by individuals.

The Ombudsman’s website allowed attackers to run a script that would easily download all complaints submitted via the website. At least two complaints had even been indexed by Google, meaning they would show up in search results.

A spokesman for the Information and Data Protection Commissioner (IDPC) confirmed the office had been alerted about the “security vulnerability” on the complaints module of the Ombudsman’s office.

The spokesman said the Commissioner took immediate action and imposed a temporary ban on the processing of complaints.

“Whereas the investigation is ongoing, I would like to emphasise that the Ombudsman’s office fully cooperated with this office, in spite of the fact that this issue happened over a weekend and a public holiday”, the spokesman said.

A spokesman for the Ombudsman’s office similarly confirmed the “issue” on the website.

The spokesman declined to give details on the amount of people affected by the vulnerability.

According to the Ombudsman’s last available annual report, the office received 313 written complaints in 2018, although there was no information about whether these complaints were submitted through the online platform.

The spokesman insisted the security issue was not being considered by the Ombudsman as a data breach in terms of data protection laws. He said the nature of the information disclosed was not personal data and most, if not all of it, was already in the public domain.

“Our external IT service provider, a reputable private entity that designed and that manages our website, has taken several precautionary measures and has already provided us with a detailed report on the matter. Further investigations are ongoing,” the spokesman said.

The spokesman said the personal data of complainants was safe and there was no “cause for alarm”.

“We would be happy to explain the matter in detail once the IDPC finalises its deliberations,” the spokesman concluded.

Last year, the Ombudsman slammed the prime minister’s office for putting details about the confidential reports it receives into a government report.

The Ombudsman had said those submitting complaints to his office did so on the understanding that their identity and the nature of their grievance would be protected from “undue and unwanted publicity”.

Sign up to our free newsletters

Get the best updates straight to your inbox:
Please select at least one mailing list.

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.