Lead Editor Investigations
asha.javeed@guardian.co.tt
Despite a denial by the Telecommunications Services of T&T (TSTT), the 6GB of data uploaded to the dark web after the October 9 breach contains banking and credit card information.
On November 3, TSTT admitted, after first denying it, that 6GB of its data was leaked after a cyberattack but said it originated from a legacy system and contained data which was no longer valid.
TSTT said the data revealed names, email addresses, home address, a limited amount of ID scams, some customer account information like billing addresses and mobile numbers, payment receipts and letters of authorisation. The company also said the data dump did not contain call records, transactional data, customers passwords, credit card information and financial information.
However, Guardian Media obtained scans with credit card information, as well as bank account numbers included in the leaked 6GB data bundle.
Also included among the scans were banking information for customers, companies, state enterprises, ministries, as well as credit card numbers in transaction receipts.
Guardian Media spoke to IT consultant Shivam Teelucksingh, who has been doing a deep dive into the data to see what is available on the dark web.
Teelucksingh was able to access his own data, pull up how much of his bill was paid, the form in which it was paid, his address and his bank account at RBC.
Thankfully, he said, that bank account was now closed.
He pointed out that while TSTT said the information was legacy, there were scans as recent as January 2023.
“At the end of the day, it’s not about the hack itself, it’s about how the company handled it, brushing it under the rug and hiding it from their customers. Up to now customers were not notified. A lot of the IDs are older folks as well as international citizens,” he pointed out.
Teelucksingh said he hopes that now, everyone will take their data seriously.
“I hope we start to take our data more seriously and start the implementation of proper data protection laws within the country. Companies such as TSTT need to be held responsible for lying to the nation, as well as information leaking out. I understand that it is a cyberattack, which can happen to anyone, but proper policies need to be taken into account when these things happen. The Caribbean is a playground for hackers and we need to stay secure and safe online,” he added.
“To strengthen our cybersecurity, I propose the creation of teams within the Ministry of Digital Transformation that collaborate with IT departments across various ministries to conduct comprehensive IT and security audits, encompassing everything from websites to desktop systems. Ensuring that all these systems meet necessary standards, or are at least user-friendly is time-consuming and may require investment, but the safeguarding of our nation’s sensitive information is of paramount importance.”
He said while Trinidad and Tobago Cyber Security Incident Response Team (TT-CSIRT) conducts valuable webinars, the Government needs to extend this knowledge and education to end-users throughout the nation.
“Simple social media posts are insufficient. Moreover, if there are government-sponsored computer labs at community centres, they should be utilised to offer classes on online safety, social engineering, and other digital security aspects,” he said.
“Transformation must be strategically managed, starting with building a solid foundation. It’s evident that the transition needs to be gradual, not a leap from level one to level five. To achieve this, let’s establish a comprehensive transformation timeline spanning from year one to five and commit to making it a reality. The public’s perception is shaped by what they are told, and the current situation, with information circulating on social media, doesn’t reflect well on TSTT.”
Guardian Media has reported that the names of the country’s top officials, Prime Minister Dr Keith Rowley, President Christine Kangaloo, Chief Justice Ivor Archie, Finance Minister Colm Imbert, National Security Minister Fitzgerald Hinds, Police Commissioner Erla Harewood-Christopher and Public Utilities Minister Marvin Gonzales are all included in a list of people found in documents downloaded to the dark web from TSTT’s data breach.
The list contains 1.2 million entries.
There are hundreds of thousands of names on the list which was posted online following the data breach at the telecommunications company.
As of yesterday, the data has been downloaded over 17,488 times from the dark web.
The company’s line minister, Marvin Gonzales, has ordered an independent investigation into the data breach. The minister said the gravity of the situation warrants a thorough and full-scale investigation to ascertain the facts and circumstances that caused the breach, TSTT’s communications regarding the matter, and the actions the organisation is taking to reduce the possibility of future cyber incursions.
He said that TSTT has to make public the facts and findings, insofar as the details do not compromise customer confidentiality or further put at risk the integrity of TSTT’s data or digital infrastructure.
