C-Planet fined €65,000 over security breach that exposed data on 330,000 voters

C-Planet Ltd has been fined €65,000 after an investigation by the Data Protection Commissioner found it at fault for a security breach that exposed data on 330,000 voters.

The commissioner instructed the IT company to immediately erase the personal data in the database file stored on the compromised server and provide the commissioner with evidence that this request did not prejudice any ongoing judicial proceedings.

The report said the IT company had violated multiple articles at law, including not notifying the commissioner of the incident.

The data included ID numbers, names, addresses, gender, phone numbers and dates of birth. It accounts for around 75% of the Maltese population.

Screenshots posted on Twitter and a Reddit thread show that the voter database was held by software developer C-Planet IT Solutions in a folder called VotingDocumentSystem.

The security breach was detected as early as 29 February 2020, after a security researcher posted details of the vulnerability of the company’s server.

The company provided IT services for local councils Valletta, Bormla, Mdina, Isla, Birgu, St Paul’s Bay, Ta’ Xbiex, Marsaxlokk, Marsaskala, Birzebbuga, Floriana, Sliema, Santa Venera, Naxxar, and Qormi.

The investigation started after several media reports, including MaltaToday, reported on the breach. The Daphne Foundation and independent MP Arnold Cassola had also filed reports with the Data Protection Commissioner to investigate the case.

READ MORE: IDPC launches investigation after over 330,000 voters’ personal data leaked in security breach