Hackers claim ransomware attack on TSTT

Technology journalist and Newsday columnist Mark Lyndersay says the public is unaware of how serious Ransom Exx’s reported breach of Telecommunication Services of Trinidad and Tobago’s (TSTT) data is.

Reports of the breach were made three days ago. Lyndersay wrote of it on his site, technewstt.com.

In that article, Lyndersay said, “According to FalconFeeds.IO, a cyber security firm that offers a Twitter feed reporting on breaches, tstt.co.tt and bmobile.co.tt were compromised, with a reported 6GB of customer lines, ID scans, gitlab projects and database dumps as part of the haul.”

A check of FalconFeeds.io twitter account on October 27 said, “Ransomexx #ransomware group has added Telecommunications Services of Trinidad and Tobago (http://tstt.co.tt) to their victim list. They claim to have access to 6GB of organisations (sic) data.”

There has been no official word from the Telecommunications Services of Trinidad and Tobago (TSTT) on the matter and calls to its CEO Lisa Agard went unanswered. Calls to Minister of Public Utilities Marvin Gonzales also went unanswered.

In a phone interview on Sunday, Lyndersay said, “It is an issue of customer privacy and the customer’s right to know.”

With ransomware, if the ransom is not paid the data is released, he said.

This has happened before in TT and Jamaica, he added.

“Before they release the data, it is customary that a ransomware organisation will produce proof with a selection of the data they exfiltrated (withdraw surreptitiously) which they post to the dark web to say, ‘Yes we have your data. Now pay us.’

“In that cache of exfiltrated data that was posted as proof is a 300mb file that has got the personal identifiable information of 800,000 TSTT customers,” Lyndersay said.

This meant phone numbers, addresses, IDs etc.

Last year, there were reports of a malware incursion into its software. In later reports the company said it never paid a ransom and got international cyber security experts to help with the matter.

Lyndersay said that there was no legal requirement under TT’s laws for a company or government agency to disclose that they were hacked and data stolen.

Dlapiperdataprotection.com, a website which monitors data protection laws around the world, says that there was no provision in the Data Protection Act of notifying data subjects of the Information Commissioner of a security breach.

“That is the law in Barbados and I believe, I can’t say for sure about Jamaica but I also believe it has been made law in Jamaica but it is not a law in TT. There is no legal requirement to disclose.”

Lyndersay said he believes this is in draft bills but it has not been passed into law. He believes it should be law because if people’s personal information have been stolen, they should at least know it has happened.

He said his biggest concern was that he began posting about it 24 hours ago and thinks that a lot of people do not understand what has happened.

The real-world implications for this kind of issue are if the data is available and people could make use of it, then, it needed to be considered exactly what kind of use they would make of it.

Lyndersay said people needed to be aware that they have a right to privacy and, when not enshrined in law, should be interested that it becomes so.

The Cybercrime Bill is yet to be enacted in TT.