FeaturedOpinion

What does the TSTT breach mean for customers?

By
2 Mins read
8262
Share

Above: Rishi Maharaj.

Data protection consultant Rishi Maharaj on the TSTT Breach

From a Data Protection standpoint (which we don’t have but other countries in the region have adopted) there are several areas of concern.

Timing of the Disclosure: TSTT mentions that they became aware of the cyber-attack on October 9th, 2023. The gap between the attack and public disclosure appears to be significant, which could be concerning under Data Protection principles, especially as people’s personal data was comprised. From a data Protection perspective, reports should be made to a regulator within a specific time frame, namely 3 to 5 days and individuals must be informed, but alas we have no laws that place these requirements on companies here.

Nature of the Data: The breach reportedly includes customer lines, ID scans, and database dumps. ID scans can be considered as sensitive data, and its exfiltration poses significant risks for identity theft and fraud.

Assertion of ‘No Loss or Compromise’: TSTT states that there was “no loss or compromise of customer data”. However, considering the purported evidence available on the dark web, this claim may appear to contradict the presented data by RansomEXX. Under Data Protection best practice, transparency and accuracy in communication are critical.

Data Volumes and Relevance: TSTT points out that its platforms generate terabytes of data, possibly attempting to downplay the significance of the purported 6GB of exfiltrated data. While this might be accurate in the context of total data volume, GDPR focuses on the quality and sensitivity of data, not quantity. The sheer number of affected customers and the types of data involved make this breach significant.

In light of the recent cyber-attack on TSTT, their statement raises several concerns from a Data Protection perspective. The delayed disclosure, and the apparent contradiction between their claims and evidence presented by the hackers are alarming.

While TSTT’s proactive response in securing their systems is commendable, the nature of the data involved—especially the ID scans—poses a significant risk.

TSTT’s emphasis on the vast amounts of data they handle might be an attempt to downplay the breach’s gravity. However, from a Data Protection standpoint, it’s not the volume but the sensitivity and relevance of the data that counts. The situation underscores the need for transparent, accurate, and prompt communication in the face of security breaches.

Again, it places the need for revised legislation not only from a Data Protection perspective but also a cyber crime perspective to provide for an independent regulator and also to empower TT CSIRT with the ability to independently act and ensure accuracy and timely release of information and investigations and also to hold companies honest and accountable.

About Rishi Maharaj

Rishi Maharaj is a graduate of the University of the West Indies with a BSc. and MSc. in Government. He is a Certified Information Privacy Manager and provides consultancies through Privicy Advisory Services which assists organizations through data expansion and digital transformation, emphasizing the reduction of compliance burdens.

With over 15 years in the public and privacy sectors, he offers deep insights into government workings and the challenges of digital transformation. Notably, Rishi spearheaded the finalization and partial proclamation of Trinidad and Tobago’s Data Protection Act in 2011 and contributed to international model data protection legislation.

In the private sector, he helps businesses to align with GDPR and regional data protection standards, using compliance as a unique differentiator to boost organizational value and foster trust and engagement. He is a member of both the Canadian Institute of Access and Privacy Professionals and the International Association of Privacy Professionals.

Related Posts…

TATT answers questions about its cybersecurity framework for telcoms, broadcasters

TATT answers questions about its cybersecurity framework for telcoms, broadcasters

By Mark Lyndersay / February 10, 2026
Meaningful cybersecurity incidents are those that result in loss or degradation of services, whether isolated or widespread, due to compromised network element.
Read More
News is a niche until it’s not

News is a niche until it’s not

By Mark Lyndersay / February 9, 2026
The New York Times produced approximately 230 pieces of content per day on average; The Washington Post, more than 500 per day in 2016
Read More
FT’s second Next Gen News report offers deeper insights

FT’s second Next Gen News report offers deeper insights

By Mark Lyndersay / February 9, 2026
Successful producers are reversing the journalism process, dismantling the inverted pyramid of news structure
Read More
Strengthening Cloud Defense: The Shared Responsibility Model

Strengthening Cloud Defense: The Shared Responsibility Model

By OpEd / February 6, 2026
Every business process, whether it’s managed in-house or hosted in the cloud, still needs to have dedicated ownership to keep accountability where it belongs.
Read More
Ransomware report notes fourth quarter 2025 attack surge

Ransomware report notes fourth quarter 2025 attack surge

By Mark Lyndersay / February 2, 2026
"The year 2026 will likely see continued convergence of criminal innovation and AI capabilities, demanding that defenders adopt equally sophisticated technologies and intelligence-led approaches."
Read More
Samsung reports US$231 billion in 2025 revenue

Samsung reports US$231 billion in 2025 revenue

By Press Release / January 30, 2026
Samsung reported US$231 billion in annual revenue and US$30.5 billion in operating profit.
Read More

WiPay’s NPCJ supports Jamaica rebuilding initiative

By Mark Lyndersay / January 30, 2026
The government support project benefits from WiPay's payment solution that enables digital grants offered under the Government of Jamaica.
Read More
Hands-on with Apple’s Creator Studio as a non-subscriber

Hands-on with Apple’s Creator Studio as a non-subscriber

By Mark Lyndersay / January 30, 2026
It’s not hard to imagine someone in a hurry clicking madly along only to find themselves a subscriber through haste.
Read More
Apple flirts with subscription software

Apple flirts with subscription software

By Mark Lyndersay / January 26, 2026
Are we all being coaxed and tranquilized into accepting as a norm, the idea that the computing tools we pay for are not things we own anymore?
Read More
Digicel announces Deep Blue One connection to Tobago

Digicel announces Deep Blue One connection to Tobago

By Press Release / January 23, 2026
"This investment helps minimise the risk of islandwide disruption and gives Tobagonians greater confidence in the reliability of their connectivity, now and into the future."
Read More
TATT answers questions about its cybersecurity framework for telcoms, broadcasters TATT answers questions about its cybersecurity... February 10, 2026
News is a niche until it’s not News is a niche until it’s... February 9, 2026
FT’s second Next Gen News report offers deeper insights FT’s second Next Gen News report... February 9, 2026
Strengthening Cloud Defense: The Shared Responsibility Model Strengthening Cloud Defense: The Shared Responsibility... February 6, 2026
Ransomware report notes fourth quarter 2025 attack surge Ransomware report notes fourth quarter 2025... February 2, 2026
Samsung reports US$231 billion in 2025 revenue Samsung reports US$231 billion in 2025... January 30, 2026
WiPay’s NPCJ supports Jamaica rebuilding initiative January 30, 2026
Hands-on with Apple’s Creator Studio as a non-subscriber Hands-on with Apple’s Creator Studio as... January 30, 2026
Apple flirts with subscription software Apple flirts with subscription software January 26, 2026
Digicel announces Deep Blue One connection to Tobago Digicel announces Deep Blue One connection... January 23, 2026

🤞 Get connected!

A once weekly email notification of new stories on TechNewsTT. Just that. No spam.

Possible UI Glitch. Click top right corner to dismiss 👉

Get Connected!

A once weekly email notification of new stories on TechNewsTT.

Just that. No spam.

8262
Share
Related posts
Press Releases

NPICTT and TSTT announce strategic national partnership for digital payments and eKYC

By
3 Mins read
NPICTT now operates as the national payments infrastructure provider, while its Innovation Centre functions as the entry point for certified digital solutions to be rolled out across the public sector.
Press Releases

TSTT, PSA announce Affinity Plan for 16,000 members

By
2 Mins read
PSA members have access to bundles that combine mobile, broadband internet, TV/landline, and home security services at discounted rates.
Press Releases

UTC, TSTT and National Payment Company sign agreement for national e-KYC platform

By
2 Mins read
It’s scalable, secure, and meets international standards — a strong statement of what our local teams can accomplish
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

2 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
trackback
Roundup: for the week ending 5 November 2023 | ICT Pulse – The leading technology blog in the Caribbean
2 years ago

[…] Trinidad and Tobago – From a Data Protection standpoint (which we don’t have but other countries in the region have adopted) there are several areas of concern… more […]

0
Reply
trackback
Trinidad & Tobago’s state telecommunications provider is hacked, raising questions about data protection laws · Global Voices Advox
2 years ago

[…] writing at Tech News T&T was data protection consultant Rishi Maharaj, who expressed concerns about the timing of the data […]

0
Reply
wpdiscuz   wpDiscuz
×
FeaturedNews Briefs

Updated: TSTT reported hacked by RansomEXX exploit

By
2
0
Share your perspective in the comments!x
()
x