[BreachExchange] IDPC launches investigation after over 330,000 voters’ personal data leaked in security breach

Destry Winant destry at riskbasedsecurity.com
Thu Apr 2 10:24:17 EDT 2020


The data protection commissioner will be launching an investigation
after a massive security vulnerability - in a database containing
information on 337,384 voters from Malta that was being held by a
Maltese IT company - led it to be exposed without security.

The data includes ID numbers, names, addresses, gender, phone numbers
and dates of birth.

It accounts for around 75% of the Maltese population.

Screenshots posted on Twitter and a Reddit thread shows that the voter
database was held by software developer C-Planet IT Solutions, in a
folder called VotingDocumentSystem.

Alex Gor at 0xyzq

350K personal data of Malta citizens leaked to the network from the
company of software developer C-Planet IT Solutions
The server is available in free form and is searched through
http://censys.io #gdpr #DataLeak #Malta #censys

12:04 PM - Feb 29, 2020
Twitter Ads info and privacy

See Alex Gor's other Tweets

Alex Gor at 0xyzq

In the leaked to the network database from Malta, allegedly personal
data of the Prime Minister of Malta Robert Abela @RobertAbela_MT #gdpr
#DataLeak #Security

Personal data of nearly 330K Maltese leaked to the public

Posted in r/security by u/useresus • 5 points and 4 comments

2:45 AM - Mar 5, 2020
Twitter Ads info and privacy

See Alex Gor's other Tweets

The company provides IT services for local councils Valletta, Bormla,
Mdina, Isla, Birgu, St Paul’s Bay, Ta’ Xbiex, Marsaxlokk, Marsaskala,
Birzebbugia, Floriana, Sliema, Santa Venera, Naxxar, and Qormi.

C Planet director Philip Farrugia is brother-in-law to Labour
parliamentary secretary Stefan Zrinzo Azzopardi, appointed in January
as junior minister responsible for EU funds.  C-Planet IT Solutions
described the issue as a 'mishap' and said it would not be replying to
any questions on the matter, insisting the data was "old". The company
is expected to release a statement.

The security breach was detected as early as 29 February, after a
security researcher posted details of the vulnerability of the
company’s server. MaltaToday understands that some data, such as
addresses, might not be up to date.

The source said that by knowing the IP address of the vulnerable
server, the information could have been downloaded. The company was
notified of the leak via email in February, but there was no reaction
- the hole in the server was only closed around the 9th March.

Following the publication of the MaltaToday story, deputy data
protection commissioner Ian Deguara told the Times of Malta that he
would be launching an investigation into the matter.

"We got to know about this personal data breach this morning from
media reports. We shall trigger our investigation procedure with the
controller responsible for the processing to establish all the facts
surrounding this security incident," Deguara is quoted as saying.

More information about the BreachExchange mailing list