BitDepthFeatured

TSTT’s dark night of the soul

4 Mins read

Above: Illustration by nateemee/123RF.com

BitDepth#1432 for November 13, 2023

The TSTT data breach that went public on October 27 might have been the noisiest consequence of a cyberattack that Trinidad and Tobago has experienced so far, but it wasn’t the first.

In the case of the ANSA McAl, Massy, Port of Spain City Corporation and Attorney General’s office breaches, along with two others that I know of that were never made public, the saving grace was that the punitive dump of data was never widely distributed.

In others, like the recently discovered 2021 Digicel Group breach, the files are available but so fragmented (337 archived parts each 500MB in size) that downloading the data on the glacially slow dark web network is a task reserved for the truly determined.

By last week, roughly eight days after I broke the story on October 28, the 6GB of exfiltrated TSTT files had moved beyond the dark web to file sharing sites on the open internet.

The incident descended into debacle, as the facts, available for review by anyone with the skill or determination to do so, were vigorously denied by TSTT.

But the crosstalk seemed to be happening among an informed and increasingly heated few while the larger population remained unconcerned. For four days after my first reporting on the incident, I was both confused and angry at this laissez faire response.

It seemed inconceivable to me that so few people saw the problem, and the official statements from the Minister of Public Utilities and TSTT flew so blatantly in the face of the facts as to be insulting.

One aspect of this remains an issue of concern. In the face of general apathy about the data breach, mainstream media and online commenters increasingly sought more colourful ways to illustrate the issue, including displays of unredacted personal information.

The laws that should govern the handling of misappropriated information are still frozen in the clauses of the Data Protection Act that have not been brought into local legislation, but commonsense should have moderated some of the more outrageous reporting and demonstrative sharing that characterised an increasingly widespread effort to draw more national attention to the issues raised by the breach.

Ironically, one of the reasons that the Data Protection Act was never fully proclaimed was a vigorous and sustained objection by local media to the chilling effect on reporting that would have resulted from an implementation of the legislation as originally drafted.

It’s important for journalists to view and confirm information before reporting it to the wider public, even if the documents are too sensitive to be widely shared.

If everyone is saying the sky is blue, it’s the journalist’s job to always open the window and look. If the laws deny that basic precept, they also neuter a fundamental strength of journalism and its importance to the public interest.

In the Massy breach, I had access to the dark web onionsite hosting the breached information and began downloading it before reconsidering. Was I going to be taking possession of stolen goods?

At that point, I believed that there was already enough in the public domain to make that story clear, but I might have been wrong.

Who knows how much sensitive personally identifiable information (PII) has already been bobbing around on the dark web as a result of the previously reported local data breaches that we haven’t seen the scope of as well as those that we don’t know anything about.

Illustration by lightsource/DepositPhotos.com

If nothing else, the widespread enthusiasms of the last two weeks make it clear that laws are needed, but they must establish parameters that allow practicing journalists to evaluate and inform the public, compel companies to disclose the nature and scale of data lost and penalise carelessness in data gathering, management and security.

It would be a terrible misunderstanding of the situation to assume that because there has been no leak of sensitive information such as credit card numbers that the leak is harmless.

What is in the public domain as a consequence of this leak and others involving the (PII) of hundreds of thousands of people, perhaps as many as millions if the data exfiltrated from the recent breaches involving PriceSmart and Courts go public, is a trove of information that at the very least, a gold mine for marketing.

TSTT’s handling of this incident was disgraceful, but not surprising. In November 2019, I wrote a story about the fragile state of the company’s back office accounting software.

It took six months and background conversations with six employees under NDA, three of them retired, to gather the information that forced the interview that produced that story.

I was told that TSTT was not happy about it, but the company kept silent, hoping that the complex and technical nature of the story would bury it. And they were right. Then.

In their press release on October 30, I saw elements of the same playbook, an effort to impress the public with their capable corporate handling of the situation while determinedly downplaying the potential impact of the data breach.

When faltering billing system created problems for people trying to pay their bills or trying to find payments that were lost, the company dissembled vaguely.

With the 2023 data breach, the creeping realisation slowly came home for hundreds of thousands of people that their personal information was in the public domain.

What had been conceptually private was now digital bottom in the road.

It isn’t clear that TSTT has learned anything from this experience. Five days after the breach went public, the company apologised, but it did so in the sixth paragraph of an eight paragraph press release, the definition of “Oh, by the way, sorry about that.”

A slightly less equivocal, but signed response came from CEO Lisa Agard two weeks later.

The state’s only reaction to its errant company (GoRTT is the majority shareholder in TSTT) has been to fulminate about investigations and we all know what happens to those.

The TT Cybersecurity Incident Response Team’s (TTCSIRT) monosyllabic responses to questions about the breach on November 08 (https://cstu.io/2496f6) are probably the best summary of the problem.

With no law governing misuse of data, no crime has been committed. The TTCSIRT is essentially powerless to intercede with anyone who doesn’t invite them in. The state is still figuring out what’s happened.

The single take-away, our sole solace, should be an understanding of the insecurity and uncertainty a lapse in cybersecurity can wreak and our profit should be what we have learned from it.

But it isn’t clear that anyone in a position of responsibility has been studying that homework.

America’s open mic moment

America’s open mic moment

What made online pundits so effective in the US election?
Read More
The press and the president-elect

The press and the president-elect

Beyond the president-elect's often-expressed intent to retaliate against journalists he believes are unfairly attacking him is the agenda of Project 2025.
Read More
All washed up

All washed up

Dirt on its own will simply shake out of fabric. What keeps it in place is oil and grease, readily generated by human skin.
Read More
Samsung extends Knox security to its home appliances

Samsung extends Knox security to its home appliances

Knox Matrix is a security solution that comprehensively protects connected devices and networks using private blockchain technology.
Read More
bmobile and CARIRI host 3,500 children at Innovation Camp

bmobile and CARIRI host 3,500 children at Innovation Camp

In the Power Up Competition, students were challenged to develop solutions for real-world problems particularly those affecting the environment.
Read More
The state of Caribbean digital transformation

The state of Caribbean digital transformation

Despite 87 per cent believing that digital will disrupt their industry, 87 per cent acknowledged that they don't have the right leaders
Read More
The WordPress War

The WordPress War

WPEngine and the websites of its customers were blocked from the WordPress log-in system theme and plug-in updates and other background processes that enable a Wordpress website.
Read More
A budget of concrete and asphalt

A budget of concrete and asphalt

Four years after Hassel Bacchus took up the pioneering role of Digital Transformation Minister, the 2025 budget could not identify any completed transformation project that's positively affected citizens.
Read More
Being secure when making tap to pay transactions

Being secure when making tap to pay transactions

Each transaction is accompanied by a unique code that securely protects cardholder payment information.
Read More
TT Digital Transformation Minister re-elected president of CTU

TT Digital Transformation Minister re-elected president of CTU

“The Caribbean cannot be a mere onlooker. Rather, we must be active innovators and contributors, ensuring that our regional priorities, unique perspectives and culture are safeguarded and prioritised at a...
Read More
Holy Faith Penal wins TT leg of Samsung’s Solve for Tomorrow

Holy Faith Penal wins TT leg of Samsung’s Solve for Tomorrow

In Trinidad and Tobago the team from Holy Faith Convent Penal was chosen as the winner presenting the project called “My Neighbour’s Keeper”.
Read More
Arima’s first step toward becoming a smart city

Arima’s first step toward becoming a smart city

The public WiFi was officially activated on September 28 at the hospital, and it's fast. A local ping registered 250 megabits of download speed and 126 for upload.
Read More
MDT opens D’Hub to teenage technologists

MDT opens D’Hub to teenage technologists

The Ministry is committed to nurturing young tech enthusiasts in the field of information and communications technology.
Read More
America’s open mic moment America’s open mic moment
The press and the president-elect The press and the president-elect
All washed up All washed up
Samsung extends Knox security to its home appliances Samsung extends Knox security to its...
bmobile and CARIRI host 3,500 children at Innovation Camp bmobile and CARIRI host 3,500 children...
The state of Caribbean digital transformation The state of Caribbean digital transformation
The WordPress War The WordPress War
A budget of concrete and asphalt A budget of concrete and asphalt
Being secure when making tap to pay transactions Being secure when making tap to...
TT Digital Transformation Minister re-elected president of CTU TT Digital Transformation Minister re-elected president...
Holy Faith Penal wins TT leg of Samsung’s Solve for Tomorrow Holy Faith Penal wins TT leg...
Arima’s first step toward becoming a smart city Arima’s first step toward becoming a...
MDT opens D’Hub to teenage technologists MDT opens D’Hub to teenage technologists

🤞 Get connected!

A once weekly email notification of new stories on TechNewsTT. Just that. No spam.

Possible UI Glitch. Click top right corner to dismiss 👉

Get Connected!

A once weekly email notification of new stories on TechNewsTT.

Just that. No spam.

Related posts
BitDepthFeatured

America’s open mic moment

4 Mins read
What made online pundits so effective in the US election?
BitDepthFeatured

The press and the president-elect

4 Mins read
Beyond the president-elect’s often-expressed intent to retaliate against journalists he believes are unfairly attacking him is the agenda of Project 2025.
News Briefs

TSTT confirms Kent Western as CEO

1 Mins read
Effective October 01, 2024, TSTT has confirmed the appointment of Kent Western as Chief Executive Officer. Western has been acting…
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

3 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Party Pooper
Party Pooper
1 year ago

Thank you for sharing this information.

I’m upset in several ways. Generally speaking, I wonder what kind of IT security TSTT practices. Actually, whether they understand the concept at all.

Far too often, I’ve seen companies treat IT as some kind of plumbing, connecting together what they regard as a set of electronic typewriters. Yes, the great benefit of PCs is that they are quieter than the old IBM Selectric typewriters they replaced.

Apparently, we’re still at the level where people working in at least one local ISP still use calculators to add up columns in their spreadsheets before entering the total of the column! Don’t laugh!

As for management’s awareness of security, it’s largely ignored. Unless companies can be successfully sued for data breaches, that’s NEVER going to change.

I remember, after spending an hour in the Fraud Squad explaining an attempt to defraud a company of US$290,000, when I suggested to the general manager that perhaps now we should think about discussing computer security, that person responded that I should just do whatever I thought was necessary, not even wanting to discuss it.

Data security is so far off the radar of companies in Trinidad that it should be considered non-existent. Perhaps the banks are slightly better. But we have seen several times in the past where customers’ bank details have appeared in the newspapers, haven’t we?

The only thing I’ve heard is that, from time to time, the more “advanced” companies force their employees to watch some videos on security and perhaps, take a test on what they just watched, lip service to proper computer security.

Why weren’t these databases encrypted? Why wasn’t the data traffic being monitored? Was there no way for unusual activity to raise an alarm?

Why weren’t the IT staff trained in defensive security? Oh wait, I know the answer to that one! Too expensive! Companies don’t like to train staff any more because that training makes them more valuable and they can jump ship to get a better salary elsewhere after they’ve been trained!

Come to think of it, nobody has employees anymore, only contractors. Job security has disappeared! Why do we need trained system administrators any more, we have everything on the cloud!

Another thing local businesses don’t invest in, is documentation. Nobody writes anything down! Why would they? If job security is not guaranteed, the only way to hold on to your job, is to keep the important information secret! So, IT people never write anything down! They are a tight cliche, a closed priesthood! Job security through obscurity!

With a business culture that is so myopic and closed, data breaches are an inevitable result.

And without the legal ability to sue these coempanies, the public is helpless to do anything about it.

Welcome to the backwaters of 21st century civilisation!

Taran Rampersad
Taran Rampersad
Reply to  Party Pooper
1 year ago

I often look back 20 years or so in my professional experience abroad and think, “Oh, I remember this part of history abroad.”

dennise
1 year ago

Thanks for continuing to comment objectively on this horrible situation. I have not seen or read anything which makes me confident that we have taken any preventative action. I shudder to think of if this happens again and citizens have very little recourse. Changing passwords seems to be not enough. We must find a way to move forward in this digital world.

×
FeaturedTechnology Reporting

TSTT's week of evasion and half-truths

3
0
Share your perspective in the comments!x
()
x