Three students and their lecturer who were charged with gaining unauthorised access to an app were granted a president pardon on Tuesday (yesterday), bringing an end to a two-year ordeal that saw them get strip-searched and have their devices confiscated before being hauled before a court.

Their alleged crime, however, is often seen by many companies as a “strategic investment” in understanding how security controls perform under pressure, Christian Bajada tells WhosWho.mt.

Mr Bajada is Head of Information Security at BMIT Technologies, a publicly listed data centre provider that has expanded its offering in recent years, entering the infrastructure and cybersecurity markets.

“Ethical hacking can be part of a collaborative approach to keep security efforts proactive and adaptive, ready for what comes next,” he says when asked about the role of the practice in the broader cybersecurity space.

The hacking case

The three students – Michael Debono, Luke Bjorn Scerri and Giorgio Grigolo – found a “bewilderingly stupid” security flaw in the app of the popular student platform FreeHour, with Mr Grigolo making an unauthorised change to the app as evidence of the vulnerability, before reverting it to its original state.

They were reported to the police – an action that was itself not without controversy – and spent the last two years with a potential four-year prison sentence and a hefty fine hanging over their heads.

The latest development comes after the Prime Minister and the Cabinet recommended presidential pardons for the three students and their lecturer Mark Joseph Vella.

In a statement, Prime Minister Robert Abela noted that the hack was well-intentioned, although the Opposition Nationalist Party criticised the Government’s inaction in changing the law to prevent such cases from re-occurring.

The role of ethical hacking

The BMIT Head of Information Security makes it clear that he is not privy to details about the case and is not commenting about the FreeHour hack.

However, shedding light on how ethical hackers can help companies bolster their security systems, he notes that most effective security programmes today “go beyond traditional defences by actively testing their own vulnerabilities.”

For example, companies increasingly hire trusted professionals to simulate real attacks and find weaknesses before bad actors can exploit them.

Mr Bajada says that this approach delivers value “far beyond compliance and routine audits,” describing it as “a strategic investment in understanding how security controls perform under pressure.”

He continues: “Security is never static. New technologies emerge, attack methods evolve, and yesterday's defences may not protect against tomorrow's threats. If that were not the case, we would still be using the same locks from 100 years ago.”

The IT security expert argues that smart businesses do not treat ethical hacking as an annual exercise but integrate it into their ongoing security practices, giving boards, regulators and customers real confidence that risks are being managed properly.

Addressing the often interchangeable use of ‘ethical hacking’ and ‘penetration testing’, Mr Bajada notes that they actually serve different purposes.

“Penetration testing involves formal, scoped assessments conducted with explicit permission and clear boundaries,” he says, “while ethical hacking casts a wider net, encompassing bug bounty programmes, responsible disclosure research, and other good-faith security reviews that reveal blind spots businesses might miss internally.”

Ultimately, both strengthen security by showing how systems stand up under realistic conditions.

Regardless of the precise method used, finding flaws is only part of the story, he argues.

“The real value is in building resilience. Good ethical hacking supports stronger policies, better processes and a more prepared culture.”

Mr Bajada points out that many larger companies now run bug bounty programmes to encourage trusted researchers to help find and fix vulnerabilities responsibly.

“This collaborative approach keeps security efforts proactive and adaptive, ready for what comes next.”