By means of the present the Authority for Transport in Malta is, regrettably, constrained to inform you that its servers and intellectual property systems have been the subject of a cyber- attack executed during the night between Friday 25th September 2020 and Saturday 26th September 2020.
The Authority has immediately alerted its technical experts to take all the necessary measures to limit the effects of the said cyber-attack on its systems and has also immediately notified the Executive Police to assist in the matter.
As a result of such notification, a magesterial inquiry has been set up and the inquiring magistrate has appointed a number of experts in order to identify all the facts of the case and preserve all necessary evidence.
The Authority has also engaged third party experts in order to provide their services on this matter and no efforts are being spared in order to contain and prevent any breach of data and information which could ensue as a result of the said cyber-attack.
A data breach notification was submitted to the Office of the Information and Data Protection Commissioner (IDPC) in line with the statutory duties stipulated under the applicable Data Protection Legislation and Regulations.
Your attention is being drawn to this matter in view of any personal data processed by the Authority which is related to you as an identified or identifiable natural person as defined under Article 4 (1) of the General Data Protection Regulation (2016/679).
Upon becoming aware of the cyber attack, the Authority, its external technical experts and its DPO Office have been coordinating its efforts with the ongoing magisterial inquiry and the IDPC in order to quantify and assess the nature of the said cyber attack and any possible subsequent data breach. Following consultations with the IDPC, the Authority is issuing this preliminary data breach notification in order to infrom its data subjects of such cyber attack and possible subsequent data breach on its systems and data. This notification is being issued now that the Authority has obtained a clearer picture of the extent and possible effects and consequences of the said cyber-attack.
From the preliminary analysis carried out, the Authority is in a position to indicate that its vechile registration and driver license components hosted within third-party infrastructure have not been compromised as part of the recent cyberattack. However the Authority at the moment cannot provide such indications in relation to other systems and data which formed part of the Authority’s infrastructure and does not have any indicators confirming that any data was exfiltrated, deleted or modified. In line with the above the Authority is issuing this preliminary data breach notificiation and the Authority will be able to provide additional information in due course once the forensic analysis is concluded and any possible indicators of compromise are quantified.
As a response to the cyber attack and subsequent possible data breach, the Authority has undertaken various measures to address the present situation such as isolating the compromised systems to prevent any further risks and the Authority is working to create a isolated sandbox environment to host its systems. Concurrently the Authority is undergoing a process to ensure that all Authority devices are scanned and verified in order to ensure that any possible indicators of compromise within such devices remain extraneous to the new infrastructure.
This notification is being issued so that you may apply and put in place all such measures which you may deem fit in order to protect any personal data or information which has been processed by the Authority.
Protective measures may include:
- monitoring your personal accounts for any suspicious activity;
- be vigilant against third parties attempting to gather information by deception
(commonly known as ‘phishing’) including through links to fake websites.
- reviewing your card accounts, statements and recent payments for any unauthorised
activity, and immediately reporting such activity to your financial institution;
- in case of identity theft or misuse of your personal data, you should immediately contact
the Executive Police and file a Police Report;
For further information and assistance, please contact the Authority on +356 2122 2203 or by sending an email to the Authority’s DPO Office at [email protected]
Whilst the Authority apologises for any inconvenience caused resulting from such third-party actions, it assures you that you shall be kept fully informed of all developments with particular reference to any matter which may be flagged by the investigations relating to any data pertaining to you as a data subject and/or any risks connected thereto.