FeaturedOpinion

What does the TSTT breach mean for customers?

By
2 Mins read
8519
Share

Above: Rishi Maharaj.

Data protection consultant Rishi Maharaj on the TSTT Breach

From a Data Protection standpoint (which we don’t have but other countries in the region have adopted) there are several areas of concern.

Timing of the Disclosure: TSTT mentions that they became aware of the cyber-attack on October 9th, 2023. The gap between the attack and public disclosure appears to be significant, which could be concerning under Data Protection principles, especially as people’s personal data was comprised. From a data Protection perspective, reports should be made to a regulator within a specific time frame, namely 3 to 5 days and individuals must be informed, but alas we have no laws that place these requirements on companies here.

Nature of the Data: The breach reportedly includes customer lines, ID scans, and database dumps. ID scans can be considered as sensitive data, and its exfiltration poses significant risks for identity theft and fraud.

Assertion of ‘No Loss or Compromise’: TSTT states that there was “no loss or compromise of customer data”. However, considering the purported evidence available on the dark web, this claim may appear to contradict the presented data by RansomEXX. Under Data Protection best practice, transparency and accuracy in communication are critical.

Data Volumes and Relevance: TSTT points out that its platforms generate terabytes of data, possibly attempting to downplay the significance of the purported 6GB of exfiltrated data. While this might be accurate in the context of total data volume, GDPR focuses on the quality and sensitivity of data, not quantity. The sheer number of affected customers and the types of data involved make this breach significant.

In light of the recent cyber-attack on TSTT, their statement raises several concerns from a Data Protection perspective. The delayed disclosure, and the apparent contradiction between their claims and evidence presented by the hackers are alarming.

While TSTT’s proactive response in securing their systems is commendable, the nature of the data involved—especially the ID scans—poses a significant risk.

TSTT’s emphasis on the vast amounts of data they handle might be an attempt to downplay the breach’s gravity. However, from a Data Protection standpoint, it’s not the volume but the sensitivity and relevance of the data that counts. The situation underscores the need for transparent, accurate, and prompt communication in the face of security breaches.

Again, it places the need for revised legislation not only from a Data Protection perspective but also a cyber crime perspective to provide for an independent regulator and also to empower TT CSIRT with the ability to independently act and ensure accuracy and timely release of information and investigations and also to hold companies honest and accountable.

About Rishi Maharaj

Rishi Maharaj is a graduate of the University of the West Indies with a BSc. and MSc. in Government. He is a Certified Information Privacy Manager and provides consultancies through Privicy Advisory Services which assists organizations through data expansion and digital transformation, emphasizing the reduction of compliance burdens.

With over 15 years in the public and privacy sectors, he offers deep insights into government workings and the challenges of digital transformation. Notably, Rishi spearheaded the finalization and partial proclamation of Trinidad and Tobago’s Data Protection Act in 2011 and contributed to international model data protection legislation.

In the private sector, he helps businesses to align with GDPR and regional data protection standards, using compliance as a unique differentiator to boost organizational value and foster trust and engagement. He is a member of both the Canadian Institute of Access and Privacy Professionals and the International Association of Privacy Professionals.

Related Posts…

Tambini to journalists: “Keep doing what you’re doing”

Tambini to journalists: “Keep doing what you’re doing”

By Mark Lyndersay / May 31, 2026
There are lots of international standards to support that idea of the state supporting the media, but that support is often abused, so it has to be based on real...
Read More
How do we unfetter journalism from the shackles of business?

How do we unfetter journalism from the shackles of business?

By Mark Lyndersay / May 25, 2026
Journalism must dissect information, deepen the understanding of it and bring clarity to the news consumer.
Read More
bmobile launches second youth internship programme, targets 1,200

bmobile launches second youth internship programme, targets 1,200

By Press Release / May 23, 2026
“Strong institutions are measured not only by the services they provide but also by the opportunities they help create.”
Read More
Samsung and Google announce collab on fashionable SmartGlasses

Samsung and Google announce collab on fashionable SmartGlasses

By Press Release / May 21, 2026
With this new AI form factor, we are further expanding the Galaxy device ecosystem. Each device is optimised to deliver unique AI experiences.
Read More
Visa introduces card-based identity verification with Bahamas test

Visa introduces card-based identity verification with Bahamas test

By Press Release / May 15, 2026
Identity is the key to safe commerce. Your Visa card is now the key to secure online identity verification.
Read More
What the Canvas hack tells us about higher education software

What the Canvas hack tells us about higher education software

By Mark Lyndersay / May 15, 2026
Instructure is managing a very different proposition than most software vendors do. It has positioned itself as an education partner managing a wide range of integrations with education software tools.
Read More
Ghost women in AI? Hardly!

Ghost women in AI? Hardly!

By Mark Lyndersay / May 10, 2026
"When I first came out of university a million years ago, everybody was like, why build something here? Just take what's in Europe, lift and shift. That has been the...
Read More
Who will ride the digital rails? The challenge of inclusion

Who will ride the digital rails? The challenge of inclusion

By Nicole Greene / May 9, 2026
A cheque written on one branch of a commercial bank takes four working days to clear at another branch of the same bank. Cheques between two different banks take longer.
Read More
Why Digital Identity is more than an ID card

Why Digital Identity is more than an ID card

By Nicole Greene / May 8, 2026
Digital identity is not chiefly a technology problem. It is a trust problem expressed through technology.
Read More
What a 1956 shipping revolution can teach us about GovTech

What a 1956 shipping revolution can teach us about GovTech

By Nicole Greene / May 6, 2026
Fragmented storage was not a security feature. It was a vulnerability. The databases had been safe only by virtue of being useless to each other.
Read More
Tambini to journalists: “Keep doing what you’re doing” Tambini to journalists: “Keep doing what... May 31, 2026
How do we unfetter journalism from the shackles of business? How do we unfetter journalism from... May 25, 2026
bmobile launches second youth internship programme, targets 1,200 bmobile launches second youth internship programme,... May 23, 2026
Samsung and Google announce collab on fashionable SmartGlasses Samsung and Google announce collab on... May 21, 2026
Visa introduces card-based identity verification with Bahamas test Visa introduces card-based identity verification with... May 15, 2026
What the Canvas hack tells us about higher education software What the Canvas hack tells us... May 15, 2026
Ghost women in AI? Hardly! Ghost women in AI? Hardly! May 10, 2026
Who will ride the digital rails? The challenge of inclusion Who will ride the digital rails?... May 9, 2026
Why Digital Identity is more than an ID card Why Digital Identity is more than... May 8, 2026
What a 1956 shipping revolution can teach us about GovTech What a 1956 shipping revolution can... May 6, 2026

🤞 Get connected!

A once weekly email notification of new stories on TechNewsTT. Just that. No spam.

Possible UI Glitch. Click top right corner to dismiss 👉

Get Connected!

A once weekly email notification of new stories on TechNewsTT.

Just that. No spam.

8519
Share
Related posts
Press Releases

bmobile launches second youth internship programme, targets 1,200

By
3 Mins read
“Strong institutions are measured not only by the services they provide but also by the opportunities they help create.”
BitDepthFeatured

TSTT's payments problem (updated)

By
6 Mins read
Something seems to have collapsed in what should be an efficient, all-digital payment and verification loop.
FeaturedOpinion

DIY data protection Is costing you more than you think

By
3 Mins read
When your DIY system misses an update — even once — you can find yourself out of compliance.
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

2 Comments
Oldest
Newest Most Voted
trackback
Roundup: for the week ending 5 November 2023 | ICT Pulse – The leading technology blog in the Caribbean
2 years ago

[…] Trinidad and Tobago – From a Data Protection standpoint (which we don’t have but other countries in the region have adopted) there are several areas of concern… more […]

0
Reply
trackback
Trinidad & Tobago’s state telecommunications provider is hacked, raising questions about data protection laws · Global Voices Advox
2 years ago

[…] writing at Tech News T&T was data protection consultant Rishi Maharaj, who expressed concerns about the timing of the data […]

0
Reply
wpdiscuz   wpDiscuz
×
FeaturedNews Briefs

Updated: TSTT reported hacked by RansomEXX exploit

By

2
0
Share your perspective in the comments!x
()
x