Thursday, March 27, 2025

TSTT says data breach not major


Andrea Perez- Sobers
510 days ago
TSTT House, Port-of-Spain.

An­drea Perez-Sobers

The Telecom­mu­ni­ca­tions Ser­vices of Trinidad and To­ba­go (TSTT) says de­spite the cy­ber at­tack­ers' at­tempt to gain unau­tho­rized ac­cess to the com­pa­ny’s sys­tem last month, the ma­jor­i­ty of cus­tomers’ in­for­ma­tion was not ac­cessed but apol­o­gised to the few whose in­for­ma­tion was cap­tured.

This sit­u­a­tion has been in the pub­lic do­main as many start­ed spec­u­lat­ing that the com­pa­ny was hacked by cy­ber­at­tacks af­ter cus­tomers were not able to make calls. A re­cent video mak­ing its rounds on so­cial me­dia showed the al­leged da­ta of cus­tomers that was stolen by the at­tack­ers.

TSTT in a state­ment this morn­ing said since the cy­ber­at­tack, it took im­me­di­ate steps to min­imise the se­cu­ri­ty vul­ner­a­bil­i­ty, suc­cess­ful­ly iso­lat­ing its sys­tems and ap­pli­ca­tions.

It not­ed that ap­pli­ca­tions were sub­se­quent­ly quar­an­tined, re­built, and put back in­to pro­duc­tion as part of clear­ly de­fined poli­cies and pro­ce­dures.

“The com­pa­ny al­so en­list­ed the sup­port of in­ter­na­tion­al­ly recog­nised cy­ber se­cu­ri­ty ex­perts and part­ners in in­ves­ti­gat­ing the at­tempt­ed breach and ad­vis­ing on the im­ple­men­ta­tion of ap­pro­pri­ate ad­di­tion­al se­cu­ri­ty mea­sures and pro­to­cols. Some of these rec­om­men­da­tions have al­ready been im­ple­ment­ed,” TSTT ex­plained.

The in­ter­na­tion­al cy­ber se­cu­ri­ty con­sul­tants, whom the com­pa­ny has been work­ing with for the past sev­en days have de­ter­mined that the da­ta re­leased con­tains large­ly iden­ti­fy­ing in­for­ma­tion, of those cus­tomers af­fect­ed by these cy­ber ter­ror­ists.

While the com­pa­ny is still scru­ti­n­is­ing the da­ta, the 6GB ac­cessed rep­re­sents less than one per cent of the petabytes of da­ta the com­pa­ny pro­duces and stores.

More­over, it rep­re­sents in­for­ma­tion from a small sub­set of TSTT’s cus­tomer base.

TSTT high­light­ed that a sin­gle cus­tomer could gen­er­ate hun­dreds or thou­sands of records of non-crit­i­cal, non-sen­si­tive trans­ac­tions.

It was al­so de­ter­mined that some of the da­ta were ac­cessed from a lega­cy sys­tem, which is no longer utilised by TSTT but con­tains da­ta that is, in many in­stances, no longer valid.

This da­ta is kept to en­sure TSTT is com­pli­ant with rel­e­vant laws as it re­lates to the re­ten­tion of cus­tomer in­for­ma­tion.

With this con­text, TSTT said the sub­set of in­for­ma­tion ac­cessed con­tains, “First Name; Call records Last Name­Trans­ac­tion­al da­ta Email Ad­dress

Cus­tomer Pass­words; Home Ad­dress; Cred­it card in­for­ma­tion; ID Scans (lim­it­ed amount)

Fi­nan­cial in­for­ma­tion; some cus­tomer ac­count in­for­ma­tion, (Ac­count #, billing ad­dress­es, and some mo­bile num­bers); let­ters of au­tho­ri­sa­tion: this per­mits some­one to con­duct trans­ac­tions with TSTT on some­one’s be­half and pay­ment re­ceipts.”

It said what is not in­clud­ed are, “call records; trans­ac­tion­al da­ta, cus­tomer pass­words, cred­it card in­for­ma­tion, and fi­nan­cial in­for­ma­tion.”

TSTT’s in­ves­ti­ga­tion has found that no cus­tomer pass­words or cre­den­tials were ac­cessed.

The com­pa­ny added that it is im­por­tant to note that cer­tain state­ments cur­rent­ly in the pub­lic do­main re­gard­ing the pub­li­ca­tion of per­son­al da­ta are in­ac­cu­rate and in­valid.

TSTT said it does not re­quest, re­quire, and/or store on its data­bas­es any of the fol­low­ing in­for­ma­tion re­lat­ed to its cus­tomers.

Those are, “cred­it card in­for­ma­tion, cus­tomer pass­words, ap­provals for hous­ing, and ship­ping doc­u­ments.”


