TSTT's dark night of the soul

BitDepth#1432

Mark Lyndersay

THE TSTT data breach that went public on October 27 might have been the noisiest consequence of a cyberattack that TT has experienced, but it wasn’t the first.

In the case of the ANSA McAL, Massy, Port of Spain City Corporation, Attorney General's Office breaches, along with two others that I know of that were never made public, the saving grace was that the punitive dump of data was never widely distributed.

By last week, roughly eight days after I broke the story on October 28, the 6GB of exfiltrated files had moved beyond the dark web to file-sharing sites on the open internet.

The incident descended into debacle, as the facts, available for review by anyone with the skill or determination to do so, were vigorously denied by TSTT.

It seemed inconceivable to me that nobody saw the problem, and the statements from the Minister of Public Utilities and TSTT flew so blatantly in the face of the facts as to be insulting.

One aspect of this remains an issue of concern. In the face of general apathy about the data breach, mainstream media and online commenters increasingly sought more colourful illustrations of the issue, including displays of unredacted personal information.

The laws that should govern the handling of misappropriated information are still frozen in the parts of the Data Protection Act that have not been brought into local law, but common sense should have moderated some of the more outrageous reporting and demonstrative sharing that characterised an effort to draw more national attention to the issues raised by the breach.

One of the reasons that the act was never fully proclaimed was a vigorous and sustained objection by local media to the chilling effect on reporting that would have resulted from the legislation as originally drafted.

It is important for journalists to view and confirm information before reporting it to the wider public, even if the documents are too sensitive to be widely shared.

If everyone is saying the sky is blue, it's the journalist's job to always open the window and look. If the laws deny that basic precept, they neuter a fundamental facet of journalism and its importance to the public interest.

Who knows how much sensitive personally identifiable information (PII) has already been bobbing around on the dark web as a result of previously reported local data breaches we haven't seen the scope of and those that we don't know anything about.

If nothing else, the widespread enthusiasm of the last two weeks makes it clear that laws are needed, but they must establish parameters that allow practising journalist to evaluate and inform the public, compel companies to disclose the nature and scale of data lost and penalise carelessness in data gathering, management and security.

TSTT's handling of this incident was disgraceful, but not surprising. In November 2019, I wrote a story about the fragile state of the company's back office accounting software (https://cstu.io/58267e).

I was told that TSTT was not happy about it, but the company kept silent, hoping that the complex and technical nature of the story would bury it. And it was right. Then.

In its press release on October 30, I saw elements of the same playbook, an effort to impress the public with its capable corporate handling of the situation while determinedly downplaying the impact of the actual incident.

The faltering billing system created problems for people trying to pay their bills or realising their payments were getting lost. With the 2023 data breach, the creeping realisation came home for hundreds of thousands of people that their personal information was in the public domain. What had been in practice private was now digital bottom in the road.

It isn't clear that TSTT has learned anything from this experience. Five days after the breach went public, the company apologised, but it did so in the sixth paragraph of an eight-paragraph press release, the definition of "Oh, by the way, sorry about that.”

The State's reaction to its errant company (the government is the majority shareholder in TSTT) was to fulminate about investigations and we all know what happens to those.

With no law governing misuse of data, no crime has been committed. The TT Cyber Security Incident Response Team (TTCSIRT) is essentially powerless to investigate anyone who doesn't invite them in. The State is still figuring out what's happened.

The single takeaway, our sole solace, should be an understanding of what a lapse in cybersecurity can wreak and what we have learned from it. But it isn't clear that anyone in a position of responsibility has been studying that homework.

Mark Lyndersay is the editor of technewstt.com. An expanded version of this column can be found there