BitDepthTSTT's dark night of the soul

TSTT’s dark night of the soul

Above: Illustration by nateemee/123RF.com

BitDepth#1432 for November 13, 2023

The TSTT data breach that went public on October 27 might have been the noisiest consequence of a cyberattack that Trinidad and Tobago has experienced so far, but it wasn’t the first.

In the case of the ANSA McAl, Massy, Port of Spain City Corporation and Attorney General’s office breaches, along with two others that I know of that were never made public, the saving grace was that the punitive dump of data was never widely distributed.

In others, like the recently discovered 2021 Digicel Group breach, the files are available but so fragmented (337 archived parts each 500MB in size) that downloading the data on the glacially slow dark web network is a task reserved for the truly determined.

By last week, roughly eight days after I broke the story on October 28, the 6GB of exfiltrated TSTT files had moved beyond the dark web to file sharing sites on the open internet.

The incident descended into debacle, as the facts, available for review by anyone with the skill or determination to do so, were vigorously denied by TSTT.

But the crosstalk seemed to be happening among an informed and increasingly heated few while the larger population remained unconcerned. For four days after my first reporting on the incident, I was both confused and angry at this laissez faire response.

It seemed inconceivable to me that so few people saw the problem, and the official statements from the Minister of Public Utilities and TSTT flew so blatantly in the face of the facts as to be insulting.

One aspect of this remains an issue of concern. In the face of general apathy about the data breach, mainstream media and online commenters increasingly sought more colourful ways to illustrate the issue, including displays of unredacted personal information.

The laws that should govern the handling of misappropriated information are still frozen in the clauses of the Data Protection Act that have not been brought into local legislation, but commonsense should have moderated some of the more outrageous reporting and demonstrative sharing that characterised an increasingly widespread effort to draw more national attention to the issues raised by the breach.

Ironically, one of the reasons that the Data Protection Act was never fully proclaimed was a vigorous and sustained objection by local media to the chilling effect on reporting that would have resulted from an implementation of the legislation as originally drafted.

It’s important for journalists to view and confirm information before reporting it to the wider public, even if the documents are too sensitive to be widely shared.

If everyone is saying the sky is blue, it’s the journalist’s job to always open the window and look. If the laws deny that basic precept, they also neuter a fundamental strength of journalism and its importance to the public interest.

In the Massy breach, I had access to the dark web onionsite hosting the breached information and began downloading it before reconsidering. Was I going to be taking possession of stolen goods?

At that point, I believed that there was already enough in the public domain to make that story clear, but I might have been wrong.

Who knows how much sensitive personally identifiable information (PII) has already been bobbing around on the dark web as a result of the previously reported local data breaches that we haven’t seen the scope of as well as those that we don’t know anything about.

Illustration by lightsource/DepositPhotos.com

If nothing else, the widespread enthusiasms of the last two weeks make it clear that laws are needed, but they must establish parameters that allow practicing journalists to evaluate and inform the public, compel companies to disclose the nature and scale of data lost and penalise carelessness in data gathering, management and security.

It would be a terrible misunderstanding of the situation to assume that because there has been no leak of sensitive information such as credit card numbers that the leak is harmless.

What is in the public domain as a consequence of this leak and others involving the (PII) of hundreds of thousands of people, perhaps as many as millions if the data exfiltrated from the recent breaches involving PriceSmart and Courts go public, is a trove of information that at the very least, a gold mine for marketing.

TSTT’s handling of this incident was disgraceful, but not surprising. In November 2019, I wrote a story about the fragile state of the company’s back office accounting software.

It took six months and background conversations with six employees under NDA, three of them retired, to gather the information that forced the interview that produced that story.

I was told that TSTT was not happy about it, but the company kept silent, hoping that the complex and technical nature of the story would bury it. And they were right. Then.

In their press release on October 30, I saw elements of the same playbook, an effort to impress the public with their capable corporate handling of the situation while determinedly downplaying the potential impact of the data breach.

When faltering billing system created problems for people trying to pay their bills or trying to find payments that were lost, the company dissembled vaguely.

With the 2023 data breach, the creeping realisation slowly came home for hundreds of thousands of people that their personal information was in the public domain.

What had been conceptually private was now digital bottom in the road.

It isn’t clear that TSTT has learned anything from this experience. Five days after the breach went public, the company apologised, but it did so in the sixth paragraph of an eight paragraph press release, the definition of “Oh, by the way, sorry about that.”

A slightly less equivocal, but signed response came from CEO Lisa Agard two weeks later.

The state’s only reaction to its errant company (GoRTT is the majority shareholder in TSTT) has been to fulminate about investigations and we all know what happens to those.

The TT Cybersecurity Incident Response Team’s (TTCSIRT) monosyllabic responses to questions about the breach on November 08 (https://cstu.io/2496f6) are probably the best summary of the problem.

With no law governing misuse of data, no crime has been committed. The TTCSIRT is essentially powerless to intercede with anyone who doesn’t invite them in. The state is still figuring out what’s happened.

The single take-away, our sole solace, should be an understanding of the insecurity and uncertainty a lapse in cybersecurity can wreak and our profit should be what we have learned from it.

But it isn’t clear that anyone in a position of responsibility has been studying that homework.

Social permission and the data center

Social permission and the data center

Generating equipment would have to be designed for the sea-salt laden air found even inland on an island.
Read More
Support us

Support us

Donate to support our work.
Read More
Brightstar Lottery launches 6th Annual Coding & Robotics Rock! Camp

Brightstar Lottery launches 6th Annual Coding & Robotics Rock! Camp

We want students in Trinidad and Tobago to understand these technologies from the inside, as innovators and problem-solvers.
Read More
How should business and government embrace AI?

How should business and government embrace AI?

"Very few people in the world can quantify the fiscal value of AI." - Anton Alexander
Read More
A request of readers

A request of readers

This is what's been happening since Newsday went away.
Read More
The data privacy issues in TT’s national ID platform

The data privacy issues in TT’s national ID platform

A country building a biometric database with no enforceable data-protection law is a live risk in the abstract.
Read More
Digicel, LoopUp partner to bring Microsoft Teams telephony to the Caribbean

Digicel, LoopUp partner to bring Microsoft Teams telephony to the Caribbean

By partnering with LoopUp, we can give our enterprise customers a seamless, fully managed Teams telephony experience
Read More
iVote Live launches with a focus on improved governance for organisations

iVote Live launches with a focus on improved governance for organisations

"A platform does not automatically create good governance. A digital vote does not automatically create democracy."
Read More
Maximize online impact with content that connects

Maximize online impact with content that connects

Staying visible online is hard when daily demands compete with the pressure to post often, stay on-brand, and still sound human
Read More
How influencer marketing works in the Caribbean

How influencer marketing works in the Caribbean

You have to really trust in this influencer to represent your brand, to be an advocate, to be the voice of your brand.
Read More
Your children: More device use means more cyber risk

Your children: More device use means more cyber risk

Shared family devices are often overlooked in terms of software updates and become gateways for cybercriminals.
Read More
CIBC Caribbean cards can now be added to Google Wallets

CIBC Caribbean cards can now be added to Google Wallets

Clients will be able to store Visa and Mastercard Credit Cards and Visa Debit Cards within Google Wallet, a digital wallet that's also launching in these markets.
Read More
Samsung Electronics expands water replenisment in 2026 Sustainability Report

Samsung Electronics expands water replenisment in 2026 Sustainability Report

Across its supply chain, Samsung expanded the scope of third-party audits to include 122 first-tier suppliers and 39 second-tier suppliers.
Read More
Social permission and the data center Social permission and the data center
Support us Support us
Brightstar Lottery launches 6th Annual Coding & Robotics Rock! Camp Brightstar Lottery launches 6th Annual Coding...
How should business and government embrace AI? How should business and government embrace...
A request of readers A request of readers
The data privacy issues in TT’s national ID platform The data privacy issues in TT’s...
Digicel, LoopUp partner to bring Microsoft Teams telephony to the Caribbean Digicel, LoopUp partner to bring Microsoft...
iVote Live launches with a focus on improved governance for organisations iVote Live launches with a focus...
Maximize online impact with content that connects Maximize online impact with content that...
How influencer marketing works in the Caribbean How influencer marketing works in the...
Your children: More device use means more cyber risk Your children: More device use means...
CIBC Caribbean cards can now be added to Google Wallets CIBC Caribbean cards can now be...
Samsung Electronics expands water replenisment in 2026 Sustainability Report Samsung Electronics expands water replenisment in...

🤞 Get connected!

A once weekly email notification of new stories on TechNewsTT. Just that. No spam.

Possible UI Glitch. Click top right corner to dismiss 👉

Get Connected!

A once weekly email notification of new stories on TechNewsTT.

Just that. No spam.

RELATED POSTS