The on­go­ing rev­e­la­tions con­cern­ing the da­ta breach at ma­jor­i­ty state-owned Telecom­mu­ni­ca­tions Ser­vices of Trinidad and To­ba­go (TSTT) is, with­out a doubt, the most con­se­quen­tial unau­tho­rised in­cur­sion in­to servers and data­bas­es that has been ex­pe­ri­enced in this coun­try.

While large com­pa­nies and gov­ern­ment agen­cies have suf­fered sim­i­lar at­tacks, the scale of the TSTT breach is mind bog­gling as, from all re­ports, the da­ta of hun­dreds of thou­sands of its cus­tomers was dumped on the dark web.

TSTT’s first news re­lease on this is­sue was on Oc­to­ber 30, two days af­ter it was ven­ti­lat­ed by a lo­cal jour­nal­ist. In that re­lease, TSTT re­ferred to the fact that cy­ber at­tack­ers at­tempt­ed to gain unau­tho­rised ac­cess to its sys­tems on Oc­to­ber 9.

If it is as­sumed that TSTT was aware of the hack­ing in­ci­dent al­most in re­al time, which is an ex­pec­ta­tion of a mod­ern telecom­mu­ni­ca­tions com­pa­ny, it is sur­pris­ing it on­ly ref­er­enced the in­tru­sion 21 days lat­er, and on­ly af­ter it was al­ready in the pub­lic realm.

In its sec­ond news re­lease on the is­sue, on No­vem­ber 3, TSTT ac­knowl­edged the pub­lished ma­te­r­i­al was eas­i­ly ac­ces­si­ble, but ar­gued that “the cor­rob­o­ra­tion process was time con­sum­ing be­cause it re­quired cross ref­er­enc­ing da­ta across mul­ti­ple ex­ten­sive data­bas­es to ver­i­fy sources”.

On the face of it, this ap­peared a rea­son­able ex­pla­na­tion about TSTT’s ap­par­ent in­abil­i­ty, up to now, to in­form its cus­tomers on an in­di­vid­ual ba­sis, that de­tails of their per­son­al in­for­ma­tion has been ex­posed.

But how does TSTT ex­plain the as­ser­tion in its No­vem­ber 3 re­lease that nei­ther cred­it card nor fi­nan­cial in­for­ma­tion was in­clud­ed in the da­ta breach, when Guardian Me­dia re­port­ed yes­ter­day that it ob­tained scans with cred­it card and fi­nan­cial in­for­ma­tion.

On this spe­cif­ic is­sue of the pub­lic avail­abil­i­ty of pri­vate cred­it card and fi­nan­cial in­for­ma­tion, it is cru­cial TSTT pro­vides some as­sur­ances to those in­di­vid­u­als af­fect­ed. And if in­di­vid­ual as­sur­ances are not pos­si­ble or prac­ti­ca­ble, it is ab­solute­ly nec­es­sary that TSTT pro­vides the gen­er­al pub­lic with the in­for­ma­tion nec­es­sary to mit­i­gate the pos­si­bil­i­ty of iden­ti­ty theft and oth­er acts of po­ten­tial crim­i­nal­i­ty. In this re­gard, TSTT CEO Lisa Agard should have led that charge pub­licly and not have hi­den be­hind me­dia re­leas­es, even if on­ly to as­suage the pub­lic’s fear about the fall­out.

Such pub­lic in­for­ma­tion is sim­ply too im­por­tant to be placed on hold be­cause Min­is­ter of Pub­lic Util­i­ties, Mar­vin Gon­za­les, has or­dered an in­de­pen­dent, full-scale in­ves­ti­ga­tion in­to the breach that aims to as­cer­tain its facts and cir­cum­stances, as well as mea­sures nec­es­sary to mit­i­gate a re­cur­rence.

There is a ten­den­cy in this coun­try for in­ves­ti­ga­tions to be used as a means of sti­fling ven­ti­la­tion of pub­lic is­sues.

Among the ob­vi­ous re­quire­ments in deal­ing with the breach is the need for the im­pact­ed en­ti­ty to be the first to in­form its stake­hold­ers and for the in­for­ma­tion com­mu­ni­cat­ed to be com­plete­ly trans­par­ent–in­clud­ing, in this case, the mes­sag­ing to the line min­is­ter, Mr Gon­za­les.

Giv­en his cur­rent role in the Gov­ern­ment and his pre­vi­ous role as chief tech­nol­o­gy of­fi­cer at TSTT, the si­lence of Min­is­ter of Dig­i­tal Trans­for­ma­tion, Has­sel Bac­chus, is al­so un­ex­pect­ed. Mr Bac­chus can play a key role in ed­u­cat­ing the pub­lic on the is­sue of cy­ber safe­ty.

Such ed­u­ca­tion, along with a re­newed look on the Da­ta Pro­tec­tion Act, must be a na­tion­al fo­cus for T&T mov­ing for­ward.