Security Researcher Claims MGA Breach, Alleges Links to Organised Crime

The Malta Gaming Authority has confirmed a security breach of its systems following claims by German security researcher Lilith Wittmann, who alleges she accessed sensitive regulatory data and uncovered evidence of organised crime connections within Malta’s gambling sector.

In a public statement on 17 March, the MGA acknowledged a breach affecting one of its systems and confirmed it had activated internal response protocols. The regulator characterised the incident as being treated “with the utmost seriousness” but declined to specify which data may have been compromised.

Wittmann, who describes herself as an ethical hacker, publicly claimed responsibility for the breach three days later. “And yes, we will expose the organised crime enablement schemes you created while presenting yourselves as a ‘legitimate public service,'” she wrote in a now-deleted social media post.

MGA Rejects Allegations

The regulator issued a firm rebuttal on Friday, condemning what it termed “unacceptable” conduct incompatible with lawful engagement with public institutions. The MGA dismissed Wittmann’s allegations as “unsubstantiated” and insisted they “do not undermine the MGA’s role as a regulator committed to transparency, due process and the rule of law.”

“The Authority operates within a robust legal and regulatory framework and carries out its statutory functions with integrity, independence and accountability,” the statement read.

The breach raises immediate questions about the security architecture protecting one of Europe’s most significant gambling regulators. The MGA oversees hundreds of licensees across multiple jurisdictions, holding substantial volumes of compliance documentation, operator financial records, and potentially player data submitted as part of regulatory reviews.

Previous High-Profile Breach

Wittmann has established a track record in exposing security vulnerabilities within the gambling sector. Earlier this month, she revealed a significant data breach affecting German gaming sites operated by Merkur Gaming, exposing approximately 800,000 player accounts through an unsecured API endpoint.

That incident involved access to banking details, registration information and other sensitive player data via a GraphQL query vulnerability. At the time, Wittmann warned that compromised player information could potentially be used to breach regulatory systems themselves. A concern that appears prescient given the subsequent MGA incident.

The German regulator, the GGL, notably took no significant enforcement action against the operators involved in the Merkur breach, despite the scale of the exposure.

Wider Implications

The MGA breach arrives at a sensitive moment for Malta’s gambling industry. The jurisdiction has faced persistent scrutiny over its regulatory standards, particularly regarding financial crime controls and the adequacy of operator oversight. Any suggestion of compromised data integrity at the regulatory level compounds existing reputational challenges.

Whether Wittmann’s allegations of organised crime links carry substance remains to be seen. However, the confirmed breach itself represents a serious security failure. Regulatory bodies hold privileged information that, if exposed or manipulated, could compromise investigations, undermine compliance processes or expose commercially sensitive operator data.

The incident underscores the escalating cybersecurity challenges facing gambling regulators as they digitalise oversight functions while managing vast datasets across increasingly complex technology stacks. With regulatory systems now prime targets for both activists and malicious actors, the MGA breach may prompt a sector-wide reassessment of data protection standards at the institutional level.