Trinidad: PM Rowley’s Data Leaked In Cyberattack

(TT GUARDIAN) – Prime Minister Dr Keith Rowley’s identification card number, his driver’s permit number and his passport number have been found to be compromised in TSTT’s data breach.

The Excel document also has his birth date and a PO box address for him as Prime Minister.

Guardian Media obtained a copy of the 6GB of data from TSTT which was uploaded to the dark web, following a cyberattack on the company on October 9, and was able to verify this. The data bundle includes scans, a list of names and credentials.

Rowley was asked to comment and was sent a copy of the information which Guardian Media was able to source and verify, but up to late yesterday, did not respond.

The Prime Minister is one of hundreds of customers whose data has been posted online following the data breach at the telecommunications company.

As of yesterday, the data—which contains 1.2 million names—has been downloaded over 13,000 times from the dark web.

The data has names, home addresses, email addresses, cell phone numbers, birth certificates, passport numbers, identification cards, receipts, internal emails, as well as credentials.

Yesterday, Public Utilities Minister Marvin Gonzales issued a press statement and mandated that the board of TSTT conduct an independent inquiry into the cyberattack at the company.

In the statement, Gonzales said he is deeply concerned about the recent cyberattack given TSTT’s importance on the country’s telecommunications landscape.

The minister said the gravity of the situation warrants a thorough and full-scale investigation to ascertain the facts and circumstances that caused the breach, TSTT’s communications regarding the matter, and the actions the organisation is (and has been) taking to reduce the possibility of future cyber incursions.

He said that TSTT has to make public the facts and findings, in so far as the details do not compromise TSTT customer confidentiality or further put at risk the integrity of TSTT’s data or digital infrastructure.

Angus Smith, manager of T&T’s Cybersecurity Incident Response Team, yesterday welcomed the investigation as, given what’s in the public domain, there is not enough to understand the threat to the country.

He criticised TSTT’s handling of the incident and not reaching out to their customers affected by the incident and lamented the lack of legislation to enforce T&T to force companies to be transparent about data breaches.

For its part, TSTT chose not to further comment yon Sunday on the minister’s call for an independent investigation.

Last Saturday, the company said there was no compromise of customer data but added that it had not corroborated information in the public domain purported to be customer information.

On Friday, the company issued another statement admitting that 6GB, or less than one per cent of the petabytes of the company’s data, was accessed but that the majority of its customers’ data was not acquired and no passwords were compromised.

TSTT said it was determined that some of the data had been accessed from a legacy system, which is no longer utilised but contains data that is, in many instances, no longer valid.

What caused the breach?

Cybersecurity experts were divided on what caused the data breach.

One, who chose to remain anonymous, believes there was an internal link to the job.

“The dark web isn’t like Google, where you search for what’s there. Unless you know what to look for, you won’t find it. And they knew what to look for,” he said.

Cybersecurity Consultant Alex Samm observed that, unlike other ransom attacks, no ransom countdown timer existed for TSTT, and all the information was readily available on RansomEXX’s page, on the Dark Web.

“This is enough information for mass identity theft and fraud. What we haven’t seen so far, as of the writing of this, are the credentials of clients that use TSTT’s systems and platforms. However, this does not mean that they are not present. We did, however, see dumps of what seemed to be an ORACLE database with customer information (full names, full addresses, contact numbers, notes on accounts, areas, and much more). The source code seems to be code for some of the internal applications of TSTT, including billing applications, scripts that perform automated tasks, web page code and some credentials embedded in some documents,” he told the Guardian Media.

“For an organisation as prominent as TSTT, storing passwords in plaintext in a text file? Not even encrypted or hashed? Excel sheets with internal addresses for critical systems and infrastructure along with usernames and passwords, in some cases even the old passwords are listed,” he said.

“Until a full investigation is completed, we can only speculate, using historical trends of the ransomware gangs which, in this case, points to someone receiving an email and opening it and its attachment. That’s the typical route of the RansomEXX ransomware. That doesn’t mean they don’t have other means of gaining access. As mentioned before, it could be the gang exploiting an asset from TSTT that has known issues or it could be that it was an inside job, where a potentially disgruntled employee was leveraged by the gang to deploy the ransomware,” he explained.

Samm observed that T&T does not have any legislation in place for cybersecurity breaches, public or private.

“Anyone remember the ANSA hack a few years ago? We only knew about this because someone leaked it online. If this wasn’t released, we probably would never have heard of it. What about Digicel? The AG office and Ministry of Legal Affairs? No one is talking about the breach at SWRHA, and all the others that we won’t ever hear about,” he said.

Data protection

Managing Director of Privacy Advisory Services, Rishi Maharaj, said customers should be reasonably concerned about the TSTT data breach.

“While TSTT has stated that no customer passwords, credit card information, or other highly sensitive data were accessed, the breach did expose personally identifiable information (PII) such as names, email addresses, home addresses, ID scans, and some customer account information. This type of data can be used for identity theft, phishing attacks, and other malicious activities. The fact that some of this data came from a legacy system, which might contain outdated or no longer valid information, does not diminish the risk entirely, as cybercriminals can still use this data maliciously,” he said.

He said from a Data Protection perspective, there are several considerations.

He noted:

• Timeliness of Communication: There was a significant delay between the date of the breach (October 9) and TSTT’s first public statement (October 30). This 21-day gap, during which customers were unaware of potential risks, is concerning. Prompt communication is essential, especially when personal data might be at risk.

• Accuracy of Information: Initial statements from TSTT and the Public Utilities Minister suggested that customer data was not compromised. However, subsequent revelations proved this to be inaccurate. Such discrepancies can erode public trust.

• Response to Threats: The note from the Defray777 name and shame website suggests that TSTT was warned about the consequences of non-compliance before the data release. If true, this raises questions about TSTT’s decision-making process and its prioritization of customer data security.

• Public Perception: The revelation by third-party sources, such as The Dark Web Informer and other media outlets, before an official acknowledgment from TSTT, can further erode trust. It suggests that, without external pressure, the breach might not have been disclosed in its entirety to the public.

“While TSTT has taken steps post-breach to address concerns and protect its systems, the delays in communication, discrepancies in statements, and the nature of the breach disclosure raise significant concerns. Customers should critically evaluate their trust in TSTT based on the company’s actions and the information provided. Trust is earned through consistent and transparent actions, and TSTT will need to work diligently to rebuild that trust with its customer base,” he said.

For customers who have been breached he urged:

• Stay Vigilant: Be cautious of unsolicited communications, especially those asking for personal or financial information. Cybercriminals can use the breached data for phishing attacks.

• Monitor Accounts: Regularly check bank and credit card statements for any unauthorized transactions. If you notice anything suspicious, report it immediately.

• Change Passwords: Even though TSTT stated that no passwords were breached, it’s a good practice to change passwords for accounts, especially if you use similar passwords across multiple platforms.

• Enable Two-Factor Authentication (2FA): Where possible, enable 2FA on your accounts to add an extra layer of security.

• Stay Informed: Keep an eye on any further communications from TSTT regarding the breach. They might provide additional information or recommendations.

• Consider Identity Theft Protection: Some services monitor various databases and alert you if your personal information is found in places it shouldn’t be.

• Be Sceptical: If you receive any communication claiming to be from TSTT or any other organisation, verify its authenticity before providing any information or taking any action.