Three computer science students and their University lecturer are set to be charged in court after they found and disclosed security flaws in Malta’s largest student application – FreeHour – almost two years ago, The Malta Independent is informed.
Students Michael Debono, Giorgio Grigolo and Luke Bjorn Scerri had found serious security vulnerabilities in the FreeHour app, a mobile timetable application popular amongst students, and in October 2022 sent an email to the company informing them of the security flaw and requesting a ‘bug bounty’, a common practice in ethical hacking.
Instead, the trio and another student were arrested, strip-searched and had their computer equipment seized. FreeHour had later claimed that it had a legal obligation to file a police report but never had any intention of getting the students in trouble.
Regardless however, the students and their lecturer are now facing charges which can carry a sentence of up to four years imprisonment.
Scerri, Debono and Grigolo will be charged with computer misuse, with prosecutors alleging that the trio used computers to access data or documentation being held in another computer in order to copy or modify data, software or documentation without authorisation.
They are also facing charges of obstructing or preventing the use of software and documentation on another computer system
Grigolo separately will be charged for the unauthorised output of data, software or documentation from a computer, and is charged with having copies of any data, software or documentation in a storage medium other than the original location of the data without authorisation.
Their lecturer Mark Joseph Vella, who is a senior Computer Science lecturer at the University of Malta, will be charged with being an accomplice to the students.
Together they will also be charged with using electronic communication with the intent of extorting money or any other gain from the company FreeHour Limited.
A fourth student, Luke Collins, who had originally been arrested in relation to the case, has not been charged.
The charges were first reported by former book council chair and author Mark Camilleri on his blog.
The charge sheet was received on Thursday, however a date on the sheet indicates that it was drafted last February.
It is signed by Attorney General lawyers Nathaniel Falzon and Andreas Vella together with police inspectors Marcus Cachia and Warren Muscat. This newspaper is informed that Falzon no longer works with the Attorney General’s office.
The case will be heard before Magistrate Marse-ann Farrugia and the first sitting will be held on 5 March 2025.
One of the students accused – Michael Debono wrote on Facebook that he hopes that the case will result in a better climate for cybersecurity, but conceded that he is “genuinely exhausted” by the whole situation.
“It's crazy that I've had to spend almost two years now dealing with the fallout of an incident that should have been resolved over a table in a day with FreeHour and the police. I still don't have any of my equipment or the stickers I used to collect from events,” Debono wrote.
The students were barred from taking part in a European cybersecurity challenge this year, and earlier this week the Nationalist Party urged authorities to drop the case against them.