An investigation by Newsbook.com.mt reveals that there seems to be a data breach concerning the Building Industry Consultative Council (BICC).
A simple Google search of a phone number has led to the discovery of a whole database which is floating around on the web. The data includes the name, surname, address, mobile numbers, email, different licences in hand, nationality, signatures, and photos of those who applied for their Construction Industry Skills Card.
Newsbook.com.mt has taken a look at the backend of the database which is available and found that a person with knowledge of IT can run reports of those who are registered, send bulk emails and enter new entries.
The Construction Skills Card enables applicants to apply for a specific skill card in different levels according to their ability in a particular trade. The skill card is also recognised within all European countries and recognises one’s skills and abilities according to the level attained which will be shown on the card.
One may apply for the Skill Card through servizz.gov.mt.
Those who hold the Industry Skill Card would be listed on an online directory in the official BICC website. However, when one tries to access the directory through BICC, one finds a broken link.
This newsroom reached out to an IT expert who described the discovery as a serious data breach. A large amount of personal information has been leaked to the public and the data which is not protected does not require login credentials.
The expert remarked that, by having access to the link which was found from a quick google search, a person could view all users’ personal details such as full house address, signature, and photos, among others. One could also create a new fictious user or even defraud the public by ending a new user with qualifications they might not have. One could also edit users’ information and download all the data.
“I hope this gets offline as soon as possible not to aggravate the situation,” the IT expert remarked.
Legal sources speaking to Newsbook.com.mt remarked that this was yet another example of how businesses and entities, including the government in Malta, have not prepared themselves by taking the proper measures in containing the data they hold.
The legal expert explained that the use of cloud services or posting of such information on intranet sites, coupled with Google’s advancing indexing capacities, have made this information searchable and accessible.
“The burden is on the person controlling such data to make sure the necessary precautions are taken so that the data cannot be accessed easily,” the legal sources said. These data leaks are evidence that these precautions are not being taken, the source concluded.
Not the first time
This is not the first time that such a data breach has occurred.
The Data Protection Commissioner has already fined the Lands Authority €5,000 after an investigation of a major data breach, in February 2019. A massive security flaw in the Lands Authority’s website had inadvertently dumped a huge amount of personal data online. Identity card details, email correspondence, affidavits and other compromising data were made easily searchable on the internet thanks to the security flaw.
Earlier this year, Newsbook.com.mt had reported that the law firm for which Parliamentary Secretary Stefan Zrinzo Azzopardi had previously worked for before being appointed junior minister had had its data leaked online. The law firm’s IT system was operated by C-Planet IT solutions which was holding information on 337,384 voters from Malta and which is now subject to an investigation after the massive security vulnerability.