Above: Illustration by nateemee/123RF.com
BitDepth#1432 for November 13, 2023
The TSTT data breach that went public on October 27 might have been the noisiest consequence of a cyberattack that Trinidad and Tobago has experienced so far, but it wasn’t the first.
In the case of the ANSA McAl, Massy, Port of Spain City Corporation and Attorney General’s office breaches, along with two others that I know of that were never made public, the saving grace was that the punitive dump of data was never widely distributed.
In others, like the recently discovered 2021 Digicel Group breach, the files are available but so fragmented (337 archived parts each 500MB in size) that downloading the data on the glacially slow dark web network is a task reserved for the truly determined.
By last week, roughly eight days after I broke the story on October 28, the 6GB of exfiltrated TSTT files had moved beyond the dark web to file sharing sites on the open internet.
The incident descended into debacle, as the facts, available for review by anyone with the skill or determination to do so, were vigorously denied by TSTT.
But the crosstalk seemed to be happening among an informed and increasingly heated few while the larger population remained unconcerned. For four days after my first reporting on the incident, I was both confused and angry at this laissez faire response.
It seemed inconceivable to me that so few people saw the problem, and the official statements from the Minister of Public Utilities and TSTT flew so blatantly in the face of the facts as to be insulting.
One aspect of this remains an issue of concern. In the face of general apathy about the data breach, mainstream media and online commenters increasingly sought more colourful ways to illustrate the issue, including displays of unredacted personal information.
The laws that should govern the handling of misappropriated information are still frozen in the clauses of the Data Protection Act that have not been brought into local legislation, but commonsense should have moderated some of the more outrageous reporting and demonstrative sharing that characterised an increasingly widespread effort to draw more national attention to the issues raised by the breach.
Ironically, one of the reasons that the Data Protection Act was never fully proclaimed was a vigorous and sustained objection by local media to the chilling effect on reporting that would have resulted from an implementation of the legislation as originally drafted.
It’s important for journalists to view and confirm information before reporting it to the wider public, even if the documents are too sensitive to be widely shared.
If everyone is saying the sky is blue, it’s the journalist’s job to always open the window and look. If the laws deny that basic precept, they also neuter a fundamental strength of journalism and its importance to the public interest.
In the Massy breach, I had access to the dark web onionsite hosting the breached information and began downloading it before reconsidering. Was I going to be taking possession of stolen goods?
At that point, I believed that there was already enough in the public domain to make that story clear, but I might have been wrong.
Who knows how much sensitive personally identifiable information (PII) has already been bobbing around on the dark web as a result of the previously reported local data breaches that we haven’t seen the scope of as well as those that we don’t know anything about.
If nothing else, the widespread enthusiasms of the last two weeks make it clear that laws are needed, but they must establish parameters that allow practicing journalists to evaluate and inform the public, compel companies to disclose the nature and scale of data lost and penalise carelessness in data gathering, management and security.
It would be a terrible misunderstanding of the situation to assume that because there has been no leak of sensitive information such as credit card numbers that the leak is harmless.
What is in the public domain as a consequence of this leak and others involving the (PII) of hundreds of thousands of people, perhaps as many as millions if the data exfiltrated from the recent breaches involving PriceSmart and Courts go public, is a trove of information that at the very least, a gold mine for marketing.
TSTT’s handling of this incident was disgraceful, but not surprising. In November 2019, I wrote a story about the fragile state of the company’s back office accounting software.
It took six months and background conversations with six employees under NDA, three of them retired, to gather the information that forced the interview that produced that story.
I was told that TSTT was not happy about it, but the company kept silent, hoping that the complex and technical nature of the story would bury it. And they were right. Then.
In their press release on October 30, I saw elements of the same playbook, an effort to impress the public with their capable corporate handling of the situation while determinedly downplaying the potential impact of the data breach.
When faltering billing system created problems for people trying to pay their bills or trying to find payments that were lost, the company dissembled vaguely.
With the 2023 data breach, the creeping realisation slowly came home for hundreds of thousands of people that their personal information was in the public domain.
What had been conceptually private was now digital bottom in the road.
It isn’t clear that TSTT has learned anything from this experience. Five days after the breach went public, the company apologised, but it did so in the sixth paragraph of an eight paragraph press release, the definition of “Oh, by the way, sorry about that.”
A slightly less equivocal, but signed response came from CEO Lisa Agard two weeks later.
The state’s only reaction to its errant company (GoRTT is the majority shareholder in TSTT) has been to fulminate about investigations and we all know what happens to those.
The TT Cybersecurity Incident Response Team’s (TTCSIRT) monosyllabic responses to questions about the breach on November 08 (https://cstu.io/2496f6) are probably the best summary of the problem.
With no law governing misuse of data, no crime has been committed. The TTCSIRT is essentially powerless to intercede with anyone who doesn’t invite them in. The state is still figuring out what’s happened.
The single take-away, our sole solace, should be an understanding of the insecurity and uncertainty a lapse in cybersecurity can wreak and our profit should be what we have learned from it.
But it isn’t clear that anyone in a position of responsibility has been studying that homework.
Thank you for sharing this information.
I’m upset in several ways. Generally speaking, I wonder what kind of IT security TSTT practices. Actually, whether they understand the concept at all.
Far too often, I’ve seen companies treat IT as some kind of plumbing, connecting together what they regard as a set of electronic typewriters. Yes, the great benefit of PCs is that they are quieter than the old IBM Selectric typewriters they replaced.
Apparently, we’re still at the level where people working in at least one local ISP still use calculators to add up columns in their spreadsheets before entering the total of the column! Don’t laugh!
As for management’s awareness of security, it’s largely ignored. Unless companies can be successfully sued for data breaches, that’s NEVER going to change.
I remember, after spending an hour in the Fraud Squad explaining an attempt to defraud a company of US$290,000, when I suggested to the general manager that perhaps now we should think about discussing computer security, that person responded that I should just do whatever I thought was necessary, not even wanting to discuss it.
Data security is so far off the radar of companies in Trinidad that it should be considered non-existent. Perhaps the banks are slightly better. But we have seen several times in the past where customers’ bank details have appeared in the newspapers, haven’t we?
The only thing I’ve heard is that, from time to time, the more “advanced” companies force their employees to watch some videos on security and perhaps, take a test on what they just watched, lip service to proper computer security.
Why weren’t these databases encrypted? Why wasn’t the data traffic being monitored? Was there no way for unusual activity to raise an alarm?
Why weren’t the IT staff trained in defensive security? Oh wait, I know the answer to that one! Too expensive! Companies don’t like to train staff any more because that training makes them more valuable and they can jump ship to get a better salary elsewhere after they’ve been trained!
Come to think of it, nobody has employees anymore, only contractors. Job security has disappeared! Why do we need trained system administrators any more, we have everything on the cloud!
Another thing local businesses don’t invest in, is documentation. Nobody writes anything down! Why would they? If job security is not guaranteed, the only way to hold on to your job, is to keep the important information secret! So, IT people never write anything down! They are a tight cliche, a closed priesthood! Job security through obscurity!
With a business culture that is so myopic and closed, data breaches are an inevitable result.
And without the legal ability to sue these coempanies, the public is helpless to do anything about it.
Welcome to the backwaters of 21st century civilisation!
I often look back 20 years or so in my professional experience abroad and think, “Oh, I remember this part of history abroad.”
Thanks for continuing to comment objectively on this horrible situation. I have not seen or read anything which makes me confident that we have taken any preventative action. I shudder to think of if this happens again and citizens have very little recourse. Changing passwords seems to be not enough. We must find a way to move forward in this digital world.