MGA hack underscores supply‑chain risk

MGA posted an official statement on 17 March 2026 saying it "identified a breach within one of its systems" and activated internal response protocols while investigations continue. (mga.org.mt) Berlin‑based researcher Lilith Wittmann publicly claimed responsibility in a post on X on 20 March 2026 and said data obtained had been shared with media partners and authorities while levelling allegations about organised‑crime enablement. (timesofmalta.com) The Authority insisted there is currently no evidence that its core regulatory databases or licence registers were exfiltrated and said it engaged external cybersecurity experts as part of containment and forensic work. (acealliance.com) Wittmann previously published an exposé on 14 March 2025 alleging an unsecured API exposed player data across Merkur Group sites, with contemporary reports estimating exposure in the hundreds of thousands up to roughly 800,000 players. (next.io) Vendor statements from the Merkur incident said the exploit relied on third‑party integration mechanics and that the actor made API requests indistinguishable from legitimate clients using valid credentials. (sumsub.com) MGA’s regulatory framework explicitly treats the supply and management of gaming software and back‑office systems as "critical gaming supply" subject to B2B licensing, a classification that concentrates risk when suppliers are compromised. (mga.org.mt) Malta hosts a large regulated cluster — the sector includes more than 300 licensed operators — amplifying downstream impact if a centralized regulator or key supplier is abused. (hotmalta.net) U.S. DoD guidance on ICT supply‑chain risk management stresses trust‑and‑verification for critical ICT and residual‑risk controls, while major geospatial platforms (e.g., NGA’s GRiD) rely on mixed open‑source and community libraries that mirror the same third‑party attack surface highlighted by the MGA incidents. (dodcio.defense.gov)