Asha Javeed

Lead Ed­i­tor In­ves­ti­ga­tions

asha.javeed@guardian.co.tt

De­spite a de­nial by the Telecom­mu­ni­ca­tions Ser­vices of T&T (TSTT), the 6GB of da­ta up­loaded to the dark web af­ter the Oc­to­ber 9 breach con­tains bank­ing and cred­it card in­for­ma­tion.

On No­vem­ber 3, TSTT ad­mit­ted, af­ter first deny­ing it, that 6GB of its da­ta was leaked af­ter a cy­ber­at­tack but said it orig­i­nat­ed from a lega­cy sys­tem and con­tained da­ta which was no longer valid.

TSTT said the da­ta re­vealed names, email ad­dress­es, home ad­dress, a lim­it­ed amount of ID scams, some cus­tomer ac­count in­for­ma­tion like billing ad­dress­es and mo­bile num­bers, pay­ment re­ceipts and let­ters of au­tho­ri­sa­tion. The com­pa­ny al­so said the da­ta dump did not con­tain call records, trans­ac­tion­al da­ta, cus­tomers pass­words, cred­it card in­for­ma­tion and fi­nan­cial in­for­ma­tion.

How­ev­er, Guardian Me­dia ob­tained scans with cred­it card in­for­ma­tion, as well as bank ac­count num­bers in­clud­ed in the leaked 6GB da­ta bun­dle.

Al­so in­clud­ed among the scans were bank­ing in­for­ma­tion for cus­tomers, com­pa­nies, state en­ter­pris­es, min­istries, as well as cred­it card num­bers in trans­ac­tion re­ceipts.

Guardian Me­dia spoke to IT con­sul­tant Shiv­am Teelucks­ingh, who has been do­ing a deep dive in­to the da­ta to see what is avail­able on the dark web.

Teelucks­ingh was able to ac­cess his own da­ta, pull up how much of his bill was paid, the form in which it was paid, his ad­dress and his bank ac­count at RBC.

Thank­ful­ly, he said, that bank ac­count was now closed.

He point­ed out that while TSTT said the in­for­ma­tion was lega­cy, there were scans as re­cent as Jan­u­ary 2023.

“At the end of the day, it’s not about the hack it­self, it’s about how the com­pa­ny han­dled it, brush­ing it un­der the rug and hid­ing it from their cus­tomers. Up to now cus­tomers were not no­ti­fied. A lot of the IDs are old­er folks as well as in­ter­na­tion­al cit­i­zens,” he point­ed out.

Teelucks­ingh said he hopes that now, every­one will take their da­ta se­ri­ous­ly.

“I hope we start to take our da­ta more se­ri­ous­ly and start the im­ple­men­ta­tion of prop­er da­ta pro­tec­tion laws with­in the coun­try. Com­pa­nies such as TSTT need to be held re­spon­si­ble for ly­ing to the na­tion, as well as in­for­ma­tion leak­ing out. I un­der­stand that it is a cy­ber­at­tack, which can hap­pen to any­one, but prop­er poli­cies need to be tak­en in­to ac­count when these things hap­pen. The Caribbean is a play­ground for hack­ers and we need to stay se­cure and safe on­line,” he added.

“To strength­en our cy­ber­se­cu­ri­ty, I pro­pose the cre­ation of teams with­in the Min­istry of Dig­i­tal Trans­for­ma­tion that col­lab­o­rate with IT de­part­ments across var­i­ous min­istries to con­duct com­pre­hen­sive IT and se­cu­ri­ty au­dits, en­com­pass­ing every­thing from web­sites to desk­top sys­tems. En­sur­ing that all these sys­tems meet nec­es­sary stan­dards, or are at least user-friend­ly is time-con­sum­ing and may re­quire in­vest­ment, but the safe­guard­ing of our na­tion’s sen­si­tive in­for­ma­tion is of para­mount im­por­tance.”

He said while Trinidad and To­ba­go Cy­ber Se­cu­ri­ty In­ci­dent Re­sponse Team (TT-CSIRT) con­ducts valu­able we­bi­na­rs, the Gov­ern­ment needs to ex­tend this knowl­edge and ed­u­ca­tion to end-users through­out the na­tion.

“Sim­ple so­cial me­dia posts are in­suf­fi­cient. More­over, if there are gov­ern­ment-spon­sored com­put­er labs at com­mu­ni­ty cen­tres, they should be utilised to of­fer class­es on on­line safe­ty, so­cial en­gi­neer­ing, and oth­er dig­i­tal se­cu­ri­ty as­pects,” he said.

“Trans­for­ma­tion must be strate­gi­cal­ly man­aged, start­ing with build­ing a sol­id foun­da­tion. It’s ev­i­dent that the tran­si­tion needs to be grad­ual, not a leap from lev­el one to lev­el five. To achieve this, let’s es­tab­lish a com­pre­hen­sive trans­for­ma­tion time­line span­ning from year one to five and com­mit to mak­ing it a re­al­i­ty. The pub­lic’s per­cep­tion is shaped by what they are told, and the cur­rent sit­u­a­tion, with in­for­ma­tion cir­cu­lat­ing on so­cial me­dia, doesn’t re­flect well on TSTT.”

Guardian Me­dia has re­port­ed that the names of the coun­try’s top of­fi­cials, Prime Min­is­ter Dr Kei­th Row­ley, Pres­i­dent Chris­tine Kan­ga­loo, Chief Jus­tice Ivor Archie, Fi­nance Min­is­ter Colm Im­bert, Na­tion­al Se­cu­ri­ty Min­is­ter Fitzger­ald Hinds, Po­lice Com­mis­sion­er Er­la Hare­wood-Christo­pher and Pub­lic Util­i­ties Min­is­ter Mar­vin Gon­za­les are all in­clud­ed in a list of peo­ple found in doc­u­ments down­loaded to the dark web from TSTT’s da­ta breach.

The list con­tains 1.2 mil­lion en­tries.

There are hun­dreds of thou­sands of names on the list which was post­ed on­line fol­low­ing the da­ta breach at the telecom­mu­ni­ca­tions com­pa­ny.

As of yes­ter­day, the da­ta has been down­loaded over 17,488 times from the dark web.

The com­pa­ny’s line min­is­ter, Mar­vin Gon­za­les, has or­dered an in­de­pen­dent in­ves­ti­ga­tion in­to the da­ta breach. The min­is­ter said the grav­i­ty of the sit­u­a­tion war­rants a thor­ough and full-scale in­ves­ti­ga­tion to as­cer­tain the facts and cir­cum­stances that caused the breach, TSTT’s com­mu­ni­ca­tions re­gard­ing the mat­ter, and the ac­tions the or­gan­i­sa­tion is tak­ing to re­duce the pos­si­bil­i­ty of fu­ture cy­ber in­cur­sions.

He said that TSTT has to make pub­lic the facts and find­ings, in­so­far as the de­tails do not com­pro­mise cus­tomer con­fi­den­tial­i­ty or fur­ther put at risk the in­tegri­ty of TSTT’s da­ta or dig­i­tal in­fra­struc­ture.