Asha Javeed
Lead Editor Investigations
asha.javeed@guardian.co.tt
Quash the cyber breach report. That’s the request from two fired former executives of TSTT—former chief executive Lisa Agard and former chief financial officer Shiva Ramnarine—to Public Utilities Minister Marvin Gonzales in a legal letter sent last Thursday, as they insist that it should not be laid in Parliament.
The former executives believe that the report, which contains potential negative findings on their role during the cyber breach, “is laden with conjecture and is therefore infected with unlawfulness.”
In the legal letter by attorney Karina Singh of Fortis Chambers, the duo said if they do not receive a favourable response from Gonzales, they would seek leave “to apply for judicial review for an order restraining the publication of the report on the basis that the publication would be illegal, irrational, and/or procedurally improper.”
The report, which was requested by Gonzales following the cyber breach on October 9, 2023, was done by the international cybersecurity firm, the Kudelski Group.
The letter from the duo stated, “We are of the considered view that before the issuance of any report containing adverse statements and/or findings against our clients, Kudelski must give full and frank disclosure of the particulars of the allegations which underpin their proposed findings. This will allow our clients to adequately address those allegations and afford them the opportunity to review documentation or witness statements upon which Kudelski relied to substantiate such findings.
“Therefore, had Kudelski given due consideration to same, it would not have arrived at the findings and/or potential criticisms against our clients.
We therefore contend that Kudelski exercised its powers in a manner that is so unreasonable that no reasonable person could have so exercised the power, unfairly and its report. It is trite law that these aspects of unlawfulness provide sufficient basis for injunctive relief and further, for the said report to be quashed.”
Following the cyber breach, Gonzales had ordered an independent investigation into the incident and gave an undertaking that the findings would be made public as he intended to lay it in Parliament. The Kudelski report is an independent report.
Following the breach, TSTT engaged the services of a local independent cybersecurity company, CyberEye, which is affiliated with Crossword Cybersecurity Plc in the United Kingdom, to do a root cause and log analysis, secure re-enablement, assess the effectiveness of TSTT’s current cybersecurity controls for protecting its information asset against cyber threats, and, finally, threat monitoring and detection as part of its internal investigation.
The duo argued that Kudelski failed to give consideration to those reports that were completed.
Gonzales: It will be laid
But Gonzales yesterday insisted that the report, which in his view took too long, would be made public but could not give a definite date. He said it was sent to the National Security Council, and he fully intends to lay it in Parliament within the shortest time possible.
“Nothing surprised me in the report,” he said. “When the report is laid, the country will see some of the key recommendations as to what TSTT needs to do to boost its cybersecurity. I can also say that TSTT has done a lot of work in the last year to comply with some of the recommendations in the report,” he added.
The Kudelski investigation
The legal letter said that on September 26 and 29, 2024, the Kudelski team contacted Agard and Ramnarine on potential criticisms that were being addressed. The letter said that given that neither Agard nor Ramnarine have had sight of the finished report, they are unclear whether those criticisms have changed, and they describe this as unfair, irrational, and illogical. It also said that, in their view, Kudelski has not facilitated the duo with “a fair and meaningful opportunity to be heard following its notice to our clients of the highlighted ‘potential criticisms’ against our clients.”
The letter added, “We have advised of several objections, inter alia, issues of disputed factual accounts, the reliance on persons unknown and undisclosed in the report, and the reliance on same to make speculative assertions which are contradictory to material evidence contained in documentation as well as other expert reports undertaken and directly related to the issues raised in this matter. As you are aware, investigative reports may be quashed and/or injuncted from publication because of the failure to adhere to principles of natural justice.”
The duo also claim that while Kudelski advised them of “a revised approach” in proceeding to compile the terms of its report, it has frustrated their “legitimate expectation to a procedural benefit.”
Both Agard and Ramnarine raised concerns about a concluding statement in a letter from Kudelski, which they included in their legal letter submitted to Gonzales.
“Kudelski further prematurely concluded that ‘we do not consider that the process of our investigation lends itself to resolving such disputed recollections of events not otherwise substantiated by documentation, and neither do we consider that the subject matter of these disputes is sufficiently central to our report to require such resolution’.
“Respectfully, we do not accept this position, which directly impacts the integrity of any intended report to be compiled. Further, this approach is demonstrative of a plainly illogical approach. By necessity, certain facts would need to be resolved prior to arriving at conclusions. Such an approach may also be demonstrative of “predetermination” because, in essence, it appears that Kudelski adopted a closed mind towards the information potential concerns of our clients,” the letter said.
They argue that Kudelski has drawn conclusions that are unsupported and baseless and, in the absence of evidence, that they have acted contrary to its terms of reference [as of 21 March 2024] and its exercise of discretion throughout the investigation, and its findings are prima facie irrational.
The letter noted that Kudelski’s decision not to provide specifically requested items of disclosure of material by Agard and Ramnarine has deprived them of having a fair and meaningful opportunity to be heard.
“Our clients sought the disclosure in order to submit their full substantive responses, as such material would have given our clients the proper context of the respective potential criticisms highlighted in the respective letters. Thus, our clients’ representations are incomplete. It is trite law that where allegations/criticisms are to be made against any individual, that individual should be supplied with sufficient particulars to enable a full, proper and intelligible response,” the letter stated.
“Ultimately, there can be no fair presentation of Kudelski’s findings in the report, as Kudelski has inaccurately summarised representations received from purported interested parties, which can have the fatal effect of misleading all readers of the said report, overlooking relevant considerations which was improperly omitted from the report.”
The fallout
Four of TSTT’s top executives have departed the organisation following the cyber breach. Agard subsequently apologised to the company’s customers whose data was stolen and expressed regret for the way the company handled its communication following the cyberattack at an investor briefing on November 10.
“In our haste to address the cyber problem, there were some things that we could have done better. We were so busily focused on identifying the problem, containing it, and restoring full capability to serve our customers that we neglected perhaps to communicate effectively with them,” she said.
“The information currently in the public domain is largely personal identifiable information, which experts have advised us does not pose an elevated risk of fraudulent activity to customers. We have, of course, advised our customers to be extremely vigilant and on the alert for any suspicious activity,” she added. However, the TSTT board fired her three days later and appointed Kent Western, TSTT’s general manager, customer experience, as acting chief executive.
Ramnarine was fired two months later.
“TSTT made a decision to terminate my employment for no reason. It’s a clause that I specifically requested to be put into my contract and that is to ensure that in the case of hostility or animosity or any other types of issues that may arise that we can both part ways amicably,” Ramnarine had told a Joint Select Committee on February 19.
When asked whether his departure was linked to the malware incursion, he answered, “I would say that there was a great deal of disinformation put out there about my not approving spending which has been refuted, which has been rubbised. It has been publicised properly despite the attempts of the network and IT team and others for that disinformation to cloud the incompetence that was at play. “So I would say, at this point, in hindsight, I would say that played a significant role but because it’s a termination for no reason and they affected that clause I cannot say specifically what that would be. I would say that in the past year and a half, and I would venture out there, there has been significant amount of hostility and animosity directed toward myself.”
TSTT’s Senior Manager-Corporate, Environmental, Social, Reputation Management Khamal Georges also subsequently resigned.
A few weeks ago, TSTT’s chairman Sean Roach also departed the board.
About the cyber breach
The cyber breach at TSTT occurred on October 9 at 4:18 pm but was only made public on October 27, after Falcon Feeds, an India-based technology security company, reported on its X social media account that ransomware group RansomExx, added TSTT (http://tstt.co.tt) to its victim list. It claimed to have access to 6GB of organisation data.
On October 28, TSTT said in a statement that there was no compromise of customer data but added that it had not corroborated information in the public domain purported to be customer information. However, after cybersecurity experts went digging into the data and made their discoveries public, the company issued another statement.
On November 3, TSTT admitted that 6GB, or less than one per cent of the petabytes of the company’s data, was accessed but that the majority of its customers’ data was not acquired and no passwords were compromised. Guardian Media had exclusively reported that the names of the country’s top officials, Prime Minister Dr Keith Rowley, President Christine Kangaloo, Chief Justice Ivor Archie, Finance Minister Colm Imbert, National Security Minister Fitzgerald Hinds, Police Commissioner Erla Harewood-Christopher, and Public Utilities Minister Marvin Gonzales, were all included in a list of people found in documents downloaded from the dark web from TSTT’s data breach.
And despite denial by TSTT, Guardian Media obtained scans with credit card information, as well as bank account numbers, included in the 6GB data bundle. Also included among the scans were banking information for customers, companies, state enterprises, and ministries, as well as credit card numbers in transaction receipts. There were also foreign ID cards and documents in the dump. The list contained 1.2 million entries.
