OpinionWhat does the TSTT breach mean for customers?

What does the TSTT breach mean for customers?

Above: Rishi Maharaj.

Data protection consultant Rishi Maharaj on the TSTT Breach

From a Data Protection standpoint (which we don’t have but other countries in the region have adopted) there are several areas of concern.

Timing of the Disclosure: TSTT mentions that they became aware of the cyber-attack on October 9th, 2023. The gap between the attack and public disclosure appears to be significant, which could be concerning under Data Protection principles, especially as people’s personal data was comprised. From a data Protection perspective, reports should be made to a regulator within a specific time frame, namely 3 to 5 days and individuals must be informed, but alas we have no laws that place these requirements on companies here.

Nature of the Data: The breach reportedly includes customer lines, ID scans, and database dumps. ID scans can be considered as sensitive data, and its exfiltration poses significant risks for identity theft and fraud.

Assertion of ‘No Loss or Compromise’: TSTT states that there was “no loss or compromise of customer data”. However, considering the purported evidence available on the dark web, this claim may appear to contradict the presented data by RansomEXX. Under Data Protection best practice, transparency and accuracy in communication are critical.

Data Volumes and Relevance: TSTT points out that its platforms generate terabytes of data, possibly attempting to downplay the significance of the purported 6GB of exfiltrated data. While this might be accurate in the context of total data volume, GDPR focuses on the quality and sensitivity of data, not quantity. The sheer number of affected customers and the types of data involved make this breach significant.

In light of the recent cyber-attack on TSTT, their statement raises several concerns from a Data Protection perspective. The delayed disclosure, and the apparent contradiction between their claims and evidence presented by the hackers are alarming.

While TSTT’s proactive response in securing their systems is commendable, the nature of the data involved—especially the ID scans—poses a significant risk.

TSTT’s emphasis on the vast amounts of data they handle might be an attempt to downplay the breach’s gravity. However, from a Data Protection standpoint, it’s not the volume but the sensitivity and relevance of the data that counts. The situation underscores the need for transparent, accurate, and prompt communication in the face of security breaches.

Again, it places the need for revised legislation not only from a Data Protection perspective but also a cyber crime perspective to provide for an independent regulator and also to empower TT CSIRT with the ability to independently act and ensure accuracy and timely release of information and investigations and also to hold companies honest and accountable.

About Rishi Maharaj

Rishi Maharaj is a graduate of the University of the West Indies with a BSc. and MSc. in Government. He is a Certified Information Privacy Manager and provides consultancies through Privicy Advisory Services which assists organizations through data expansion and digital transformation, emphasizing the reduction of compliance burdens.

With over 15 years in the public and privacy sectors, he offers deep insights into government workings and the challenges of digital transformation. Notably, Rishi spearheaded the finalization and partial proclamation of Trinidad and Tobago’s Data Protection Act in 2011 and contributed to international model data protection legislation.

In the private sector, he helps businesses to align with GDPR and regional data protection standards, using compliance as a unique differentiator to boost organizational value and foster trust and engagement. He is a member of both the Canadian Institute of Access and Privacy Professionals and the International Association of Privacy Professionals.

Related Posts…

How should business and government embrace AI?

How should business and government embrace AI?

"Very few people in the world can quantify the fiscal value of AI." - Anton Alexander
Read More
The data privacy issues in TT’s national ID platform

The data privacy issues in TT’s national ID platform

A country building a biometric database with no enforceable data-protection law is a live risk in the abstract.
Read More
Digicel, LoopUp partner to bring Microsoft Teams telephony to the Caribbean

Digicel, LoopUp partner to bring Microsoft Teams telephony to the Caribbean

By partnering with LoopUp, we can give our enterprise customers a seamless, fully managed Teams telephony experience
Read More
iVote Live launches with a focus on improved governance for organisations

iVote Live launches with a focus on improved governance for organisations

"A platform does not automatically create good governance. A digital vote does not automatically create democracy."
Read More
Maximize online impact with content that connects

Maximize online impact with content that connects

Staying visible online is hard when daily demands compete with the pressure to post often, stay on-brand, and still sound human
Read More
How influencer marketing works in the Caribbean

How influencer marketing works in the Caribbean

You have to really trust in this influencer to represent your brand, to be an advocate, to be the voice of your brand.
Read More
Your children: More device use means more cyber risk

Your children: More device use means more cyber risk

Shared family devices are often overlooked in terms of software updates and become gateways for cybercriminals.
Read More
CIBC Caribbean cards can now be added to Google Wallets

CIBC Caribbean cards can now be added to Google Wallets

Clients will be able to store Visa and Mastercard Credit Cards and Visa Debit Cards within Google Wallet, a digital wallet that's also launching in these markets.
Read More
Samsung Electronics expands water replenisment in 2026 Sustainability Report

Samsung Electronics expands water replenisment in 2026 Sustainability Report

Across its supply chain, Samsung expanded the scope of third-party audits to include 122 first-tier suppliers and 39 second-tier suppliers.
Read More
Yes, a website is work. Yes, it’s worth it

Yes, a website is work. Yes, it’s worth it

AI tools suck up the content of creators across the open internet, turning their work into a pudding of responses in search.
Read More
How should business and government embrace AI? How should business and government embrace...
The data privacy issues in TT’s national ID platform The data privacy issues in TT’s...
Digicel, LoopUp partner to bring Microsoft Teams telephony to the Caribbean Digicel, LoopUp partner to bring Microsoft...
iVote Live launches with a focus on improved governance for organisations iVote Live launches with a focus...
Maximize online impact with content that connects Maximize online impact with content that...
How influencer marketing works in the Caribbean How influencer marketing works in the...
Your children: More device use means more cyber risk Your children: More device use means...
CIBC Caribbean cards can now be added to Google Wallets CIBC Caribbean cards can now be...
Samsung Electronics expands water replenisment in 2026 Sustainability Report Samsung Electronics expands water replenisment in...
Yes, a website is work. Yes, it’s worth it Yes, a website is work. Yes,...

🤞 Get connected!

A once weekly email notification of new stories on TechNewsTT. Just that. No spam.

Possible UI Glitch. Click top right corner to dismiss 👉

Get Connected!

A once weekly email notification of new stories on TechNewsTT.

Just that. No spam.

RELATED POSTS