The ongoing revelations concerning the data breach at majority state-owned Telecommunications Services of Trinidad and Tobago (TSTT) is, without a doubt, the most consequential unauthorised incursion into servers and databases that has been experienced in this country.
While large companies and government agencies have suffered similar attacks, the scale of the TSTT breach is mind boggling as, from all reports, the data of hundreds of thousands of its customers was dumped on the dark web.
TSTT’s first news release on this issue was on October 30, two days after it was ventilated by a local journalist. In that release, TSTT referred to the fact that cyber attackers attempted to gain unauthorised access to its systems on October 9.
If it is assumed that TSTT was aware of the hacking incident almost in real time, which is an expectation of a modern telecommunications company, it is surprising it only referenced the intrusion 21 days later, and only after it was already in the public realm.
In its second news release on the issue, on November 3, TSTT acknowledged the published material was easily accessible, but argued that “the corroboration process was time consuming because it required cross referencing data across multiple extensive databases to verify sources”.
On the face of it, this appeared a reasonable explanation about TSTT’s apparent inability, up to now, to inform its customers on an individual basis, that details of their personal information has been exposed.
But how does TSTT explain the assertion in its November 3 release that neither credit card nor financial information was included in the data breach, when Guardian Media reported yesterday that it obtained scans with credit card and financial information.
On this specific issue of the public availability of private credit card and financial information, it is crucial TSTT provides some assurances to those individuals affected. And if individual assurances are not possible or practicable, it is absolutely necessary that TSTT provides the general public with the information necessary to mitigate the possibility of identity theft and other acts of potential criminality. In this regard, TSTT CEO Lisa Agard should have led that charge publicly and not have hiden behind media releases, even if only to assuage the public’s fear about the fallout.
Such public information is simply too important to be placed on hold because Minister of Public Utilities, Marvin Gonzales, has ordered an independent, full-scale investigation into the breach that aims to ascertain its facts and circumstances, as well as measures necessary to mitigate a recurrence.
There is a tendency in this country for investigations to be used as a means of stifling ventilation of public issues.
Among the obvious requirements in dealing with the breach is the need for the impacted entity to be the first to inform its stakeholders and for the information communicated to be completely transparent–including, in this case, the messaging to the line minister, Mr Gonzales.
Given his current role in the Government and his previous role as chief technology officer at TSTT, the silence of Minister of Digital Transformation, Hassel Bacchus, is also unexpected. Mr Bacchus can play a key role in educating the public on the issue of cyber safety.
Such education, along with a renewed look on the Data Protection Act, must be a national focus for T&T moving forward.