Malta’s Data Goldmine: A 1c API Mishap

Imagine this: You’re browsing through a dusty, forgotten attic, and you stumble upon a box filled with old, yellowed documents. Each one is a piece of history, a snippet of someone’s life, a fragment of a story long forgotten. Now, what if I told you that Malta’s Business Registry had a similar ‘attic’ – a digital one, filled with 1.3 million documents, each ‘sold’ for just 1 cent?

This isn’t a tale of a garage sale gone viral. It’s a story of how a security researcher, with a keen eye and a curious mind, unearthed a trove of data that was, quite literally, up for grabs.

Meet Robert knell, a 24-year-old security researcher from the UK. In late 2021, he was tinkering with an old, forgotten API (Application Programming Interface) belonging to Malta’s Business Registry. APIs are like digital doorways, allowing software to interact with each other. This one, however, was wide open, and Knell found himself walking through it, straight into a treasure trove of data.

“I was just playing around with it, seeing what I could find,” Knell told Hot Malta. “I didn’t expect to find anything significant. But then, I started seeing files – documents, PDFs, even images. And there were thousands of them.”

Knell had stumbled upon an API that was supposed to provide basic business information. Instead, it was serving up a smorgasbord of data, including company registers, ID cards, passports, and even driver’s licenses. All stored on a server located on Triq il-Labour, the very heart of Malta’s business district.

Knell found that he could download these documents for just 1 cent each. No authentication required, no limits on the number of downloads. It was like a data goldmine, and it was wide open.

“I was shocked,” Knell admitted. “I mean, I’ve seen APIs with poor security before, but this was something else. It was like leaving your front door open and hoping no one would notice.”

Knell reached out to the Maltese authorities, who swiftly took the API offline. But the question remains: Was this a data breach, or was it a bizarre, unintentional data bazaar?

Malta’s Information and Data Protection Commissioner, Ian Deguara, told Hot Malta, “We’re treating this as a potential data breach. The fact that the data was accessible for such a low price, and with no authentication, is deeply concerning.”

However, some local cybersecurity experts have a different take. “This could have been an attempt at a novel data monetization strategy,” said Dr. Mark Gammell, a cybersecurity lecturer at the University of Malta. “But it backfired spectacularly. You can’t just open your data store and expect people to behave responsibly.”

So, what can we learn from this? For starters, APIs need to be secured just as much as any other digital asset. And data monetization strategies need to be carefully thought out, with user privacy and data protection at their core.

As for Knell, he’s just glad he could help. “I didn’t do this for the money,” he said. “I did it because it was the right thing to do. I hope Malta can learn from this and tighten up their data security.”