The Malta Tax and Customs Administration (MTCA) reports that an incident occurred on 12 November 2025, between 13:00 and 15:00, during a routine outbound communication procedure.
Communications of this nature are ordinarily executed through a secure notification portal, which enables the automated and controlled distribution of bulk notifications to taxpayers and tax practitioners. On this occasion, the established workflow was not followed, resulting in a deviation from the standard automated process.
During the issuance of the messages, a file containing company contact details was inadvertently attached to outgoing emails. Consequently, the communication distributed to recipients included the company name, company registration number, tax number, company status, email address, and phone number. Preliminary assessments indicate that approximately 7,000 email addresses are estimated to have received the attachment.
The MTCA confirms that no additional taxpayer information, including any financial data, was disclosed, and that the incident did not result from a cyberattack or any form of unauthorised access to Government systems.
Upon identification of the issue, the MTCA implemented immediate containment actions and initiated a structured review of the technical and procedural workflow.
An internal review has commenced to identify the factors that contributed to the incident and to determine whether any shortcomings warrant appropriate action.
Source: MTCA
