The Malta Tax and Customs Administration (MTCA) has reported an incident that occurred on 12 November 2025, between 13:00 and 15:00, during a routine outbound communication procedure.Normally, such communications are sent through a secure notification portal, which allows automated and controlled distribution of bulk notifications to taxpayers and tax practitioners. However, on this occasion, the standard workflow was not followed, causing a deviation from the usual automated process.As a result, a file containing company contact details was accidentally attached to outgoing emails. This meant that the communication received by recipients included:Company nameCompany registration numberTax numberCompany statusEmail addressPhone numberPreliminary assessments indicate that approximately 7,000 email addresses were estimated to have received the attachment.The MTCA has emphasised that no other taxpayer information, including financial data, was disclosed. Importantly, the incident was not the result of a cyberattack or any unauthorised access to government systems.Once the issue was identified, the MTCA took immediate containment actions and launched a structured review of the technical and procedural workflow.An internal review is now underway to pinpoint the factors that contributed to the incident and to determine whether any shortcomings require appropriate action.Moving forward, the MTCA says it will introduce additional safeguards, validation steps, and oversight controls to reinforce process integrity and reduce the risk of a similar incident occurring in the future.The Information and Data Protection Commissioner (OIDPC) has also been formally notified in line with regulatory and procedural requirements.In a statement, the MTCA expressed regret for any inconvenience caused and reaffirmed its commitment to the highest standards of data governance, operational integrity, and accountability across all its functions.•