Reports suggesting that the Malta Gaming Authority (MGA) was “hacked” have sparked concern across the iGaming industry, particularly around the safety of regulatory and player data. However, the reality appears more measured than initial headlines implied.
The MGA has officially acknowledged that one of its systems was breached and that internal response procedures were immediately activated.
At the same time, the Authority maintains that its core regulatory databases remain protected, with no current evidence indicating that sensitive personal or licensee data has been extracted.
According to a statement issued on 17 March, the breach occurred “within one of its systems,” prompting swift containment measures and collaboration with technical experts and relevant authorities.
A follow-up communication on 20 March reiterated the regulator’s strong stance against any unauthorised access or distribution of data, while also pushing back on claims circulating publicly.
Was the MGA actually hacked?
In simple terms, yes. There was unauthorised access to part of the MGA’s IT environment. However, this does not mean that critical systems, such as licensing or player databases, were compromised.
Industry reporting based on the Authority’s disclosures suggests the breach affected internal administrative or communication platforms rather than core regulatory infrastructure. So far, there is no indication that highly sensitive financial or personal data has been accessed.
The incident was identified through monitoring systems, triggering established response protocols. These included containment measures, forensic investigations, and the involvement of external cybersecurity specialists.
Key uncertainties remain, including which specific systems were accessed, what data may have been visible during the breach, and whether any information was copied or shared.
The situation escalated after German cybersecurity researcher Lilith Wittmann publicly claimed responsibility for the breach on X (formerly Twitter).
Wittmann stated that she had accessed MGA systems and shared the obtained data with journalists and authorities. Her claims also included serious allegations about the regulator’s licensing practices and warnings that further data could be released under certain circumstances.
The MGA has firmly rejected these assertions, describing them as unsubstantiated and condemning any unauthorised handling or dissemination of data. At this stage, the regulator has not confirmed whether Wittmann actually obtained any sensitive information, and investigations are ongoing.
Current statements from the MGA and industry sources suggest that critical systems, such as licensing records, compliance data, and supervisory tools, are housed in separate, highly secured environments that were not affected.
The breach appears limited to non-core systems used for internal operations. However, cybersecurity experts note that even minor access points can sometimes be used to move deeper into networks if not quickly contained.
So far, there is no confirmed evidence that player data, financial records, or operator submissions have been exposed. Still, this assessment may evolve as forensic analysis continues.
The MGA has stated it will provide updates where necessary, in line with EU obligations such as the Network and Information Systems Directive and its own reporting standards.
Malta is home to over 300 licensed gaming companies, making the integrity of its regulator critical to the wider industry. Any cybersecurity incident involving the MGA inevitably raises questions about trust, resilience, and oversight.
Even if the breach proves limited in scope, it is likely to prompt increased scrutiny from auditors, partners, and international regulators. Operators, payment providers, and stakeholders rely heavily on Malta’s reputation as a stable and secure licensing hub.
The incident also highlights a broader reality: regulatory systems are part of the wider cybersecurity landscape and can represent potential points of vulnerability.