Above: Illustration by HernanHyper/DepositPhotos
Originally published in Newsday’s BusinessDay for November 09, 2023
Last week was a long seven days. On October 28, I was informed about a potential data breach at TSTT that resulted in company data being posted to the dark web.
The dark web is a subsection of the deep web, the parts of the internet that are not indexed by search engines. The deep web is largely content that lies behind a paywall or requires credentials to access and has been blocked from web crawlers.
It is estimated that the deep web constitutes as much as 96 per cent of the active internet. The dark web, which is not entirely populated with illicit activity, is estimated to be around five percent of the total information and data movement of the internet.
Because there are no indexes, access is difficult. A visitor must use an anonymising browser such as Tor, which routes requests for a dark web site through a series of proxy services that make the user as anonymous as the pages they are trying to access.
The process is slow and a reminder of how far the world has come since Mosaic and the dial-up modem.
The most common and accessible websites are the .onion top-level domains called onionsites (more on how the dark web works here).
Facebook, for instance, has a secure deep web access interface through an onion address.
What happened last week?
My initial reporting was done on October 28 after viewing the proof page posted by a RansomEXX, a ransomware group that claimed responsibility for a hack on TSTT that resulted in the exfiltration of a declared 6GB of data.
The hack was reported on several websites that track global cybersecurity breaches. The page was accessed using an onionsite link provided by a Jamaican cybersecurity researcher, Gavin Dennis, who I worked with previously on the ANSA McAl and Massy data breaches.
The page showed screenshots of data captured in the hack and after the expiration of the ransomware grace period, included links to the data it had stolen.
Ransomware operations are businesses that operate using intimidation, fear and inconvenience to prompt payments.
Companies that have been attacked must worry about their data being released, about whether additional data is still to be revealed while working to safely and fully restore their data if they choose not to pay.
Because data can be copied infinitely, there is never any guarantee that paying the ransom will lead to the safe destruction of captured data. Trusting the word of criminals, even crooks running a business, is never a good idea.
TSTT was a victim in this. While the company has not revealed how access to its data was achieved, there are several ways credentials can be conned out of members of staff through elaborate phishing schemes. Critical software that isn’t updated quickly enough is another vector of attack.
Ransomware is a game of patience. Low level access is normally steadily escalated in compromised systems until desirable data is found and copied. It’s only then that the ransom demand is made (How ransomware attacks happen).
TSTT has acknowledged that it was aware of the breach on October 09, but said nothing until after the story of the dump broke on October 28.
One hallmark of the company’s responses to the incident has been how efficiently it has worked to make itself the villain in the matter, draining any public inclination for empathy and sympathy for the initial attack and what it cost to respond.
Its statements have been less corporate communication than deft legalese, skirting what was publicly known as information was released in two statements on October 30 and November 03.
TSTT acknowledged only what was shovelled up and thrust in its face in those statements, offering no insights beyond what was brought to the public’s attention as matters of fact while denying anything that arose from informed speculation.
On October 30, the company stated, “There was no loss or compromise of customer data, no data was deleted from TSTT’s databases or manipulated. At this time, the company has not corroborated data currently in the public domain purported to be TSTT’s customer information.”
Implied in that statement is the notion that the company was aware of the data dump but had not inspected it.
Just four days later, the company took a new position, apologising to “Those customers whose information was accessed by these cyber terrorists.”
The state company’s line minister, Marvin Gonzales, recognising that he had been deliberately misled, backed down hastily from firm statements of denial he made about the data breach, which he declared to be untrue in a statement read into the Parliament’s Hansard.
He is now demanding an independent investigation into the breach.
What is in the data dump?
TSTT sought to position the 6GB data breach against the terabytes of data it manages every day, but what actually matters is what data was forcibly extracted from the company in the cybersecurity breach.
Here is an idea of what some of the files contain. An ID file, listing customer identification information has 377,164 records, a contacts file is populated 800,977 records, a file with employee IDs and passwords lists 158,032 records and an Oracle database customers file includes 4,293,368 records.
A record is a single entry for a customer, logging data about them, which may include personal information, internal ranking of their customer value and payment history.
The larger files cannot be opened with tools like Excel, which only opened 1.5 million records of the Oracle customer database file and mangled the data structure while doing so.
Accessed using appropriate software, that large customers file will more clearly reveal data captured by the company on each of the customers it lists.
In an entry for me as a TSTT customer, my bank account number is listed.
Similar listings are to be found in the database for many high-profile citizens.
Shiva Parasram, an Enterprise Risk Consultant and head of the Computer Forensics and Security Institute, who has been investigating the data dump, found entries for Penelope Beckles, Kamla Persad-Bissessar, Keith Rowley, Timothy Hamel-Smith, Jairam Seemungal, Lyndira Oudit, Wade Mark, Colm Imbert, Amery Browne and other Parliamentary notables.
Confronted with wider evaluations of this aspect of the breach, TSTT stated in its November 03 statement, “Some of the information can already be easily accessed via the telephone directory’s white pages.”
While this is a comforting thought, it completely sidesteps the fact that a telephone directory’s data is frozen on the printed page while a live database can be mined for information, correlated with information in other databases and used to create more detailed profiles of the records found there.
The company’s suggestion that there’s little that a criminal can do with the information in the public dump is dangerously misplaced.
What is the impact of the public presence of this information?
TSTT is not bound by any proclaimed law to give any more information on this incident than it has offered to date.
Perhaps it will respond more pellucidly to the demands for an investigation by the Public Utilities Minister after misinforming him so completely that he lied in Parliament.
Rishi Maharaj, a Certified Information Privacy Manager and owner of Privicy Advisory Services expressed strong concerns about the data protection aspects of the incident.
“The delayed disclosure, and the apparent contradiction between their claims and evidence presented by the hackers is alarming,” Maharaj said in a statement on October 31.
“The nature of the data involved—especially the ID scans—poses a significant risk. TSTT’s emphasis on the vast amounts of data they handle might be an attempt to downplay the breach’s gravity, but from a data protection standpoint, it’s not the volume but the sensitivity and relevance of the data that counts.”
Parasram, worries that TSTT’s response might provoke further data leaks from RansomEXX if they are holding additional data.
He also expressed concerns about wider global responses, particularly from the EU’s General Data Protection Regulations (GDPR) which monitors data handled by companies for citizens of the EU as part of its scope.
“If they have customer information (for anyone in the) EU at the moment or (someone) who falls under the EU GDPR, when the EU gets wind of this and they do their own investigations and analyse it, there could be fines for this,” Parasram said. ”And those fines are nothing minimal.”
Customers, Parasram noted, can essentially do nothing about the disclosure. TSTT has robustly defended the security of its data centre, a core business, but has not clarified whether it stores its own company data in that data centre or whether the breach occurred on servers located in that data centre.
In closing its November 03 press release, TSTT urged the public to “Exercise discernment in the information they consume, ensuring they receive it from credible and reputable sources to make well-informed decisions.”
From its wild variances in disclosure over a single week, much of it forced on the company by public disclosures of material fact, and its willingness to mislead its line minister, it is unclear whether TSTT is adequately qualified to be meet the requirements to be such a source.