Lands Authority fined €5,000 over last year’s data breach

The Lands Authority has been served a €5,000 fine after the data protection watchdog’s investigation on last year’s data breach found that the Authority’s portal didn’t have in place the necessary security safeguards.

Last November, personal information of clients serviced by the Lands Authority ended up in the public realm, after a website fault allowed the data to be accessed through the internet.

The data breach, which included identity card details, e-mail correspondence and affidavits, led to some 5,000 clients of the authority having their personal data accessible by a simple Google search.

In a decision issued on Monday, Information and Data Protection Commissioner Saviour Cachia said that the findings of his office's investigation - which was launched after the data breach was brought to his attention by Times of Malta on 23 November 2018 - established that the online application platform available on the Authority’s portal lacked the necessary technical and organisational measures to ensure the security of processing.

READ ALSO: Lands Authority website had major flaw that allowed clients to be indexed

The Lands Authority was found to have infringed the provisions of Article 32 of the General Data Protection Regulation (GDPR) and, in terms of Article 21 of the Data Protection Act (CAP. 586), was served with an administrative fine of €5,000. The level of the fine was reached after the Commissioner took into account the circumstances set out under Article 83.2 of the GDPR.

The temporary ban imposed on the Authority’s portal has been lifted.

The Lands Authority offered their full and unrestricted collaboration to the Commissioner during the course of the entire investigation, the Commissioner noted.