Important Notice Regarding a Security Incident
This notice serves to inform you of a recent data security incident that may have involved some of your personal information. ElitAvia Malta Ltd (‘ElitAvia’) is committed to safeguarding your data and so, we want to provide a transparent explanation of what occurred, what we’ve done in response, and how you can stay protected.
What Happened
On 20 May 2025, ElitAvia was informed by our IT service provider that they had detected a ransomware attack that affected one of our servers. The attackers were able to encrypt solely the data stored on that server. All other parts of our IT infrastructure remained unaffected. Nevertheless, our business operations continued uninterrupted thanks to our robust backup systems.
During the attack, it appears that the attackers exfiltrated a portion of the data stored on the affected server before encryption occurred. Following a thorough internal investigation, we have confirmed that the personal data of our employees and customers, both past and present, could have been included among the extracted information.
Our investigation into the matter is ongoing but at this stage, it does not appear that any data were published online or elsewhere, though this cannot be excluded from occurring some time in future.
What Information Was Involved
The personal data that may have been accessed includes the following:
- Name, surname, Date of birth
- Copies of identity documents such as passports and driving licences
- Home address
- Email address
From our investigations it appears that no financial or payment information (e.g. credit card numbers or bank account details) was involved in this breach.
What We Are Doing
We have taken immediate and ongoing steps to contain and address the incident, including:
- Isolating and restricting access to the impacted server pending further forensic analysis
- Implementing increased monitoring and vigilance across our IT systems to detect and prevent any further suspicious activity
- We immediately engaged outside legal counsel to assist us and advise us on the necessary procedural steps to be taken and are following their advice as we proceed with our internal investigation and remedial measures.
- Working with external cybersecurity experts to strengthen our security posture.
- Reporting the incident to the Maltese Information and Data Protection Commissioner in accordance with applicable data protection laws.
As stated above, at this time, we have not observed any further malicious activity within our systems or any evidence of data misuse, but we continue to monitor the situation closely.
What You Can Do
While there is no indication of any misuse of your data to date, as a precaution, we recommend that you remain alert to any suspicious communications or activity. You may wish to:
- Monitor your email and accounts for phishing attempts or unusual activity.
- Be cautious about unsolicited communications that ask for personal information.
- Consider contacting the relevant authorities if you suspect identity theft or any other type of misuse of data.
- Inform your family members, whom we might have no way of reaching and whose data might have also been affected if you had sent it to us, to also remain vigilant and follow the above steps.
We understand that this incident may be concerning and want to reassure you that we are addressing it carefully and thoroughly. Data security is important to us, and we are taking steps to strengthen our systems to help reduce the risk of similar incidents in the future.
Thank you for your understanding.