SZA law firm data floating around on web

Photo by Markus Spiske from Pexels

Tista' taqra bil- Malti.

Voter data was not the only data leaked online from a system operated by C-Planet IT Solutions. The database of another “satisfied” customer, the law firm SZA, where Parliamentary Secretary for European Funds Stefan Zrinzo Azzopardi was partner prior to being appointed a junior minister, can also be found online.

Since Zrinzo Azzopardi’s appointment, the law firm has rebranded to 360 Legal Malta.

One of the results yielded when searching online for the company, was a link which led you to the internal system of the law firm, including access to their pending bills and their client list, as well as access to their employee and administrator usernames and unencrypted passwords. These credentials allow any member of the public who discovered this system, through Google or another search engine, to log in and view the firm’s live operational database, including bills for legal work sent to clients, as well as other personal data on thousands of clients and litigants, going back as far as 2014.

The breach went unnoticed by the firm up until Wednesday . Yesterday evening, the list of pending bills was even updated with a new entry. By Thursday, the system was taken offline but the list of pending bills is still available in search engine caches.

The pending bills list and full clients list were seen by The list of bills sent by SZA to their clients goes back to the 3 February 2014 all the way up to the 1 April 2020.

Among the clients, one finds the Office of the Prime Minister, the Ministry of Health, the Ministry for Infrastructure, Transport and Capital Projects, the Ministry for Home Affairs, the European Union Programmes Agency, a number of Partit Laburista clubs around the island, companies tendering for the supply of medicine and medical equipment, as well as construction companies including Elbros, Tal-Maghtab and Bilom.

The company’s turnover and monthly financial breakdown was also accessed. It shows no change in the firm’s revenue in March.

“A shoddy job”

Sources working in the sector who spoke with described the whole internal system set-up as a “shoddy job” or a “student project gone wrong”.

The sources who were approached upon finding the database, remarked that if one could access such internal information without any login required – including pending bills and a list of non-decrypted usernames and passwords with the possibility of accessing the whole internal system possibly leading to the individual client files – shows what a shoddy job the company did.

Sources said that from a professional point of view, they were so appalled that they did not where to start from.

“There are no certificates; there is unauthorised access to sensitive data, easily searchable lists of all users and passwords, passwords in raw format, all passwords follow the same format,” the sources observed, “this shows the vulnerability of the system”.

C-Planet IT Solutions is the company handling data which subsequently had been leaked. On Thursday morning, Times of Malta reported that the cache of data which was leaked online is understood to have originated from the Partit Laburista and shows the voting preferences of most of the population.

Personal information on some 337,884 individuals, which includes names, addresses, ID card details, phone numbers and their voting preference, was leaked online.

The company is owned by Philip Farrugia, a former production director at One Productions, Partit Laburista’s media wing.

Farrugia is married to Alexia Zrinzo Azzopardi who is the sister of the junior minister and a partner at SZA.