Above: Illustration by nateemee/123RF.com

BitDepth#1432 for November 13, 2023

The TSTT data breach that went public on October 27 might have been the noisiest consequence of a cyberattack that Trinidad and Tobago has experienced so far, but it wasn’t the first.

In the case of the ANSA McAl, Massy, Port of Spain City Corporation and Attorney General’s office breaches, along with two others that I know of that were never made public, the saving grace was that the punitive dump of data was never widely distributed.

In others, like the recently discovered 2021 Digicel Group breach, the files are available but so fragmented (337 archived parts each 500MB in size) that downloading the data on the glacially slow dark web network is a task reserved for the truly determined.

By last week, roughly eight days after I broke the story on October 28, the 6GB of exfiltrated TSTT files had moved beyond the dark web to file sharing sites on the open internet.

The incident descended into debacle, as the facts, available for review by anyone with the skill or determination to do so, were vigorously denied by TSTT.

But the crosstalk seemed to be happening among an informed and increasingly heated few while the larger population remained unconcerned. For four days after my first reporting on the incident, I was both confused and angry at this laissez faire response.

It seemed inconceivable to me that so few people saw the problem, and the official statements from the Minister of Public Utilities and TSTT flew so blatantly in the face of the facts as to be insulting.

One aspect of this remains an issue of concern. In the face of general apathy about the data breach, mainstream media and online commenters increasingly sought more colourful ways to illustrate the issue, including displays of unredacted personal information.

The laws that should govern the handling of misappropriated information are still frozen in the clauses of the Data Protection Act that have not been brought into local legislation, but commonsense should have moderated some of the more outrageous reporting and demonstrative sharing that characterised an increasingly widespread effort to draw more national attention to the issues raised by the breach.

Ironically, one of the reasons that the Data Protection Act was never fully proclaimed was a vigorous and sustained objection by local media to the chilling effect on reporting that would have resulted from an implementation of the legislation as originally drafted.

It’s important for journalists to view and confirm information before reporting it to the wider public, even if the documents are too sensitive to be widely shared.

If everyone is saying the sky is blue, it’s the journalist’s job to always open the window and look. If the laws deny that basic precept, they also neuter a fundamental strength of journalism and its importance to the public interest.

In the Massy breach, I had access to the dark web onionsite hosting the breached information and began downloading it before reconsidering. Was I going to be taking possession of stolen goods?

At that point, I believed that there was already enough in the public domain to make that story clear, but I might have been wrong.

Who knows how much sensitive personally identifiable information (PII) has already been bobbing around on the dark web as a result of the previously reported local data breaches that we haven’t seen the scope of as well as those that we don’t know anything about.

If nothing else, the widespread enthusiasms of the last two weeks make it clear that laws are needed, but they must establish parameters that allow practicing journalists to evaluate and inform the public, compel companies to disclose the nature and scale of data lost and penalise carelessness in data gathering, management and security.

It would be a terrible misunderstanding of the situation to assume that because there has been no leak of sensitive information such as credit card numbers that the leak is harmless.

What is in the public domain as a consequence of this leak and others involving the (PII) of hundreds of thousands of people, perhaps as many as millions if the data exfiltrated from the recent breaches involving PriceSmart and Courts go public, is a trove of information that at the very least, a gold mine for marketing.

TSTT’s handling of this incident was disgraceful, but not surprising. In November 2019, I wrote a story about the fragile state of the company’s back office accounting software.

It took six months and background conversations with six employees under NDA, three of them retired, to gather the information that forced the interview that produced that story.

I was told that TSTT was not happy about it, but the company kept silent, hoping that the complex and technical nature of the story would bury it. And they were right. Then.

In their press release on October 30, I saw elements of the same playbook, an effort to impress the public with their capable corporate handling of the situation while determinedly downplaying the potential impact of the data breach.

When faltering billing system created problems for people trying to pay their bills or trying to find payments that were lost, the company dissembled vaguely.

With the 2023 data breach, the creeping realisation slowly came home for hundreds of thousands of people that their personal information was in the public domain.

What had been conceptually private was now digital bottom in the road.

It isn’t clear that TSTT has learned anything from this experience. Five days after the breach went public, the company apologised, but it did so in the sixth paragraph of an eight paragraph press release, the definition of “Oh, by the way, sorry about that.”

A slightly less equivocal, but signed response came from CEO Lisa Agard two weeks later.

The state’s only reaction to its errant company (GoRTT is the majority shareholder in TSTT) has been to fulminate about investigations and we all know what happens to those.

The TT Cybersecurity Incident Response Team’s (TTCSIRT) monosyllabic responses to questions about the breach on November 08 (https://cstu.io/2496f6) are probably the best summary of the problem.

With no law governing misuse of data, no crime has been committed. The TTCSIRT is essentially powerless to intercede with anyone who doesn’t invite them in. The state is still figuring out what’s happened.

The single take-away, our sole solace, should be an understanding of the insecurity and uncertainty a lapse in cybersecurity can wreak and our profit should be what we have learned from it.

But it isn’t clear that anyone in a position of responsibility has been studying that homework.