The Malta Tax and Customs Administration (MTCA) has confirmed that “an incident occurred on 12 November 2025, between 13:00 and 15:00,” during what should have been a routine outbound communication procedure. The Administration explained that such communications are normally issued through a secure notification portal designed to automate and control bulk messages to taxpayers and practitioners. However, “the established workflow was not followed,” leading to a deviation from the standard process.
As a result, a file containing company contact details was mistakenly attached to outgoing emails. The attachment included “the company name, company registration number, tax number, company status, email address, and phone number.” Preliminary checks indicate that around 7,000 email addresses may have received this file.
The MTCA stressed that no financial or additional taxpayer information was exposed, and confirmed that the incident “did not result from a cyberattack or any form of unauthorised access.” Immediate containment measures were taken, followed by a full technical and procedural review.
An internal investigation is now underway to determine contributing factors and whether further action is required. Additional safeguards and oversight controls will also be introduced. The OIDPC has been formally notified. The MTCA expressed regret and reaffirmed its commitment to “the highest standards of data governance.”
🇲🇹 For the latest updates and stories from across Malta, follow News of Malta.
