BitDepthFeatured

TSTT’s dark night of the soul

4 Mins read

Above: Illustration by nateemee/123RF.com

BitDepth#1432 for November 13, 2023

The TSTT data breach that went public on October 27 might have been the noisiest consequence of a cyberattack that Trinidad and Tobago has experienced so far, but it wasn’t the first.

In the case of the ANSA McAl, Massy, Port of Spain City Corporation and Attorney General’s office breaches, along with two others that I know of that were never made public, the saving grace was that the punitive dump of data was never widely distributed.

In others, like the recently discovered 2021 Digicel Group breach, the files are available but so fragmented (337 archived parts each 500MB in size) that downloading the data on the glacially slow dark web network is a task reserved for the truly determined.

By last week, roughly eight days after I broke the story on October 28, the 6GB of exfiltrated TSTT files had moved beyond the dark web to file sharing sites on the open internet.

The incident descended into debacle, as the facts, available for review by anyone with the skill or determination to do so, were vigorously denied by TSTT.

But the crosstalk seemed to be happening among an informed and increasingly heated few while the larger population remained unconcerned. For four days after my first reporting on the incident, I was both confused and angry at this laissez faire response.

It seemed inconceivable to me that so few people saw the problem, and the official statements from the Minister of Public Utilities and TSTT flew so blatantly in the face of the facts as to be insulting.

One aspect of this remains an issue of concern. In the face of general apathy about the data breach, mainstream media and online commenters increasingly sought more colourful ways to illustrate the issue, including displays of unredacted personal information.

The laws that should govern the handling of misappropriated information are still frozen in the clauses of the Data Protection Act that have not been brought into local legislation, but commonsense should have moderated some of the more outrageous reporting and demonstrative sharing that characterised an increasingly widespread effort to draw more national attention to the issues raised by the breach.

Ironically, one of the reasons that the Data Protection Act was never fully proclaimed was a vigorous and sustained objection by local media to the chilling effect on reporting that would have resulted from an implementation of the legislation as originally drafted.

It’s important for journalists to view and confirm information before reporting it to the wider public, even if the documents are too sensitive to be widely shared.

If everyone is saying the sky is blue, it’s the journalist’s job to always open the window and look. If the laws deny that basic precept, they also neuter a fundamental strength of journalism and its importance to the public interest.

In the Massy breach, I had access to the dark web onionsite hosting the breached information and began downloading it before reconsidering. Was I going to be taking possession of stolen goods?

At that point, I believed that there was already enough in the public domain to make that story clear, but I might have been wrong.

Who knows how much sensitive personally identifiable information (PII) has already been bobbing around on the dark web as a result of the previously reported local data breaches that we haven’t seen the scope of as well as those that we don’t know anything about.

Illustration by lightsource/DepositPhotos.com

If nothing else, the widespread enthusiasms of the last two weeks make it clear that laws are needed, but they must establish parameters that allow practicing journalists to evaluate and inform the public, compel companies to disclose the nature and scale of data lost and penalise carelessness in data gathering, management and security.

It would be a terrible misunderstanding of the situation to assume that because there has been no leak of sensitive information such as credit card numbers that the leak is harmless.

What is in the public domain as a consequence of this leak and others involving the (PII) of hundreds of thousands of people, perhaps as many as millions if the data exfiltrated from the recent breaches involving PriceSmart and Courts go public, is a trove of information that at the very least, a gold mine for marketing.

TSTT’s handling of this incident was disgraceful, but not surprising. In November 2019, I wrote a story about the fragile state of the company’s back office accounting software.

It took six months and background conversations with six employees under NDA, three of them retired, to gather the information that forced the interview that produced that story.

I was told that TSTT was not happy about it, but the company kept silent, hoping that the complex and technical nature of the story would bury it. And they were right. Then.

In their press release on October 30, I saw elements of the same playbook, an effort to impress the public with their capable corporate handling of the situation while determinedly downplaying the potential impact of the data breach.

When faltering billing system created problems for people trying to pay their bills or trying to find payments that were lost, the company dissembled vaguely.

With the 2023 data breach, the creeping realisation slowly came home for hundreds of thousands of people that their personal information was in the public domain.

What had been conceptually private was now digital bottom in the road.

It isn’t clear that TSTT has learned anything from this experience. Five days after the breach went public, the company apologised, but it did so in the sixth paragraph of an eight paragraph press release, the definition of “Oh, by the way, sorry about that.”

A slightly less equivocal, but signed response came from CEO Lisa Agard two weeks later.

The state’s only reaction to its errant company (GoRTT is the majority shareholder in TSTT) has been to fulminate about investigations and we all know what happens to those.

The TT Cybersecurity Incident Response Team’s (TTCSIRT) monosyllabic responses to questions about the breach on November 08 (https://cstu.io/2496f6) are probably the best summary of the problem.

With no law governing misuse of data, no crime has been committed. The TTCSIRT is essentially powerless to intercede with anyone who doesn’t invite them in. The state is still figuring out what’s happened.

The single take-away, our sole solace, should be an understanding of the insecurity and uncertainty a lapse in cybersecurity can wreak and our profit should be what we have learned from it.

But it isn’t clear that anyone in a position of responsibility has been studying that homework.

TATT begins digital television free to air testing

TATT begins digital television free to air testing

The transition of free-to-air television from analogue to digital will bring an enhanced quality of service to consumers, including up to 4K high-definition resolution video, access to electronic programming guides,...
Read More
New CELIA submarine cable to connect Caribbean to the US

New CELIA submarine cable to connect Caribbean to the US

CELIA will enhance connectivity in the Caribbean region, providing high-capacity and secure data transfer and very high Internet speeds with low latency.
Read More
Samsung leans in on extended reality (XR)

Samsung leans in on extended reality (XR)

Supported by the broader Galaxy ecosystem, this technology will empower and transform your everyday life in a way that only we can deliver.
Read More
What keeps regional cybersecurity experts awake at night

What keeps regional cybersecurity experts awake at night

Whether the attack comes from a successful external attempt, exploiting a vulnerability or from inside, perhaps a disgruntled employee, an exploit needs just one vulnerability.
Read More
Where hackers begin

Where hackers begin

Digital nation strategies have been released by 170 countries and regions and more than 60 countries have elevated AI in their national strategy.
Read More
Blue skies for microblogging?

Blue skies for microblogging?

Bluesky hit its current high of 23 million users faster than expected, but it’s way behind X.
Read More
Samsung Electronics Joins the Carbon Trust

Samsung Electronics Joins the Carbon Trust

Globally, connected devices currently require approximately 500 terawatt-hours (TWh) of energy annually.
Read More
The apps that thrive in Apple’s ecosystem

The apps that thrive in Apple’s ecosystem

By Apple's own yardstick an app that shares usable data across three devices is acceptable one that synchronises with four is a winner.
Read More
America’s open mic moment

America’s open mic moment

What made online pundits so effective in the US election?
Read More
The press and the president-elect

The press and the president-elect

Beyond the president-elect's often-expressed intent to retaliate against journalists he believes are unfairly attacking him is the agenda of Project 2025.
Read More
All washed up

All washed up

Dirt on its own will simply shake out of fabric. What keeps it in place is oil and grease, readily generated by human skin.
Read More
Samsung extends Knox security to its home appliances

Samsung extends Knox security to its home appliances

Knox Matrix is a security solution that comprehensively protects connected devices and networks using private blockchain technology.
Read More
bmobile and CARIRI host 3,500 children at Innovation Camp

bmobile and CARIRI host 3,500 children at Innovation Camp

In the Power Up Competition, students were challenged to develop solutions for real-world problems particularly those affecting the environment.
Read More
TATT begins digital television free to air testing TATT begins digital television free to...
New CELIA submarine cable to connect Caribbean to the US New CELIA submarine cable to connect...
Samsung leans in on extended reality (XR) Samsung leans in on extended reality...
What keeps regional cybersecurity experts awake at night What keeps regional cybersecurity experts awake...
Where hackers begin Where hackers begin
Blue skies for microblogging? Blue skies for microblogging?
Samsung Electronics Joins the Carbon Trust Samsung Electronics Joins the Carbon Trust
The apps that thrive in Apple’s ecosystem The apps that thrive in Apple’s...
America’s open mic moment America’s open mic moment
The press and the president-elect The press and the president-elect
All washed up All washed up
Samsung extends Knox security to its home appliances Samsung extends Knox security to its...
bmobile and CARIRI host 3,500 children at Innovation Camp bmobile and CARIRI host 3,500 children...

🤞 Get connected!

A once weekly email notification of new stories on TechNewsTT. Just that. No spam.

Possible UI Glitch. Click top right corner to dismiss 👉

Get Connected!

A once weekly email notification of new stories on TechNewsTT.

Just that. No spam.

Related posts
BitDepthFeatured

America’s open mic moment

4 Mins read
What made online pundits so effective in the US election?
BitDepthFeatured

The press and the president-elect

4 Mins read
Beyond the president-elect’s often-expressed intent to retaliate against journalists he believes are unfairly attacking him is the agenda of Project 2025.
News Briefs

TSTT confirms Kent Western as CEO

1 Mins read
Effective October 01, 2024, TSTT has confirmed the appointment of Kent Western as Chief Executive Officer. Western has been acting…
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

3 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Party Pooper
Party Pooper
1 year ago

Thank you for sharing this information.

I’m upset in several ways. Generally speaking, I wonder what kind of IT security TSTT practices. Actually, whether they understand the concept at all.

Far too often, I’ve seen companies treat IT as some kind of plumbing, connecting together what they regard as a set of electronic typewriters. Yes, the great benefit of PCs is that they are quieter than the old IBM Selectric typewriters they replaced.

Apparently, we’re still at the level where people working in at least one local ISP still use calculators to add up columns in their spreadsheets before entering the total of the column! Don’t laugh!

As for management’s awareness of security, it’s largely ignored. Unless companies can be successfully sued for data breaches, that’s NEVER going to change.

I remember, after spending an hour in the Fraud Squad explaining an attempt to defraud a company of US$290,000, when I suggested to the general manager that perhaps now we should think about discussing computer security, that person responded that I should just do whatever I thought was necessary, not even wanting to discuss it.

Data security is so far off the radar of companies in Trinidad that it should be considered non-existent. Perhaps the banks are slightly better. But we have seen several times in the past where customers’ bank details have appeared in the newspapers, haven’t we?

The only thing I’ve heard is that, from time to time, the more “advanced” companies force their employees to watch some videos on security and perhaps, take a test on what they just watched, lip service to proper computer security.

Why weren’t these databases encrypted? Why wasn’t the data traffic being monitored? Was there no way for unusual activity to raise an alarm?

Why weren’t the IT staff trained in defensive security? Oh wait, I know the answer to that one! Too expensive! Companies don’t like to train staff any more because that training makes them more valuable and they can jump ship to get a better salary elsewhere after they’ve been trained!

Come to think of it, nobody has employees anymore, only contractors. Job security has disappeared! Why do we need trained system administrators any more, we have everything on the cloud!

Another thing local businesses don’t invest in, is documentation. Nobody writes anything down! Why would they? If job security is not guaranteed, the only way to hold on to your job, is to keep the important information secret! So, IT people never write anything down! They are a tight cliche, a closed priesthood! Job security through obscurity!

With a business culture that is so myopic and closed, data breaches are an inevitable result.

And without the legal ability to sue these coempanies, the public is helpless to do anything about it.

Welcome to the backwaters of 21st century civilisation!

Taran Rampersad
Taran Rampersad
Reply to  Party Pooper
1 year ago

I often look back 20 years or so in my professional experience abroad and think, “Oh, I remember this part of history abroad.”

dennise
1 year ago

Thanks for continuing to comment objectively on this horrible situation. I have not seen or read anything which makes me confident that we have taken any preventative action. I shudder to think of if this happens again and citizens have very little recourse. Changing passwords seems to be not enough. We must find a way to move forward in this digital world.

×
FeaturedTechnology Reporting

TSTT's week of evasion and half-truths

3
0
Share your perspective in the comments!x
()
x