Updated | IDPC launches investigation after over 330,000 voters’ personal data leaked in security breach

Online security researcher says 337,000 Maltese voters’ data held by private IT company were exposed during 10 days of server vulnerability

The data protection commissioner will be launching an investigation after a massive security vulnerability - in a database containing information on 337,384 voters from Malta that was being held by a Maltese IT company - led it to be exposed without security.

The data includes ID numbers, names, addresses, gender, phone numbers and dates of birth.

It accounts for around 75% of the Maltese population.

Screenshots posted on Twitter and a Reddit thread shows that the voter database was held by software developer C-Planet IT Solutions, in a folder called VotingDocumentSystem.

The company provides IT services for local councils Valletta, Bormla, Mdina, Isla, Birgu, St Paul’s Bay, Ta’ Xbiex, Marsaxlokk, Marsaskala, Birzebbugia, Floriana, Sliema, Santa Venera, Naxxar, and Qormi.

C Planet director Philip Farrugia is brother-in-law to Labour parliamentary secretary Stefan Zrinzo Azzopardi, appointed in January as junior minister responsible for EU funds.  C-Planet IT Solutions described the issue as a 'mishap' and said it would not be replying to any questions on the matter, insisting the data was "old". The company is expected to release a statement.

The security breach was detected as early as 29 February, after a security researcher posted details of the vulnerability of the company’s server. MaltaToday understands that some data, such as addresses, might not be up to date.

The source said that by knowing the IP address of the vulnerable server, the information could have been downloaded. The company was notified of the leak via email in February, but there was no reaction - the hole in the server was only closed around the 9th March.

Following the publication of the MaltaToday story, deputy data protection commissioner Ian Deguara told the Times of Malta that he would be launching an investigation into the matter.

"We got to know about this personal data breach this morning from media reports. We shall trigger our investigation procedure with the controller responsible for the processing to establish all the facts surrounding this security incident," Deguara is quoted as saying.