DAREECE POLO
Senior Reporter
dareece.polo@guardian.co.tt
Former Telecommunications Services of Trinidad and Tobago CEO Lisa Agard, is threatening legal action against her successor, Kent Western, who yesterday implied that she may have misled Minister of Public Utilities Marvin Gonzales on the data breach that hit the company in October last year.
Agard made the comment during an interview with Guardian Media yesterday, hours after a Joint Select Committee (JSC) on State Enterprises spent two-and-a-half hours analysing TSTT’s handling of the October 9 cybersecurity breach.
“This CEO, the former CEO of TSTT, categorically denies that I provided any misleading or false information to the minister, or indeed to any stakeholder group throughout this entire process,” she said.
“And if TSTT’s CEO is saying that I provided misleading or false information to the honourable minister, that is absolutely wrong and a serious and egregious defamation for which I will have to consult my attorneys to advise me on the appropriate legal action to take against TSTT and the acting CEO, in particular, for defaming my character.”
It was on October 27 that the public was informed about the incident that led to six gigabytes of TSTT data being released on the dark web.
On November 1, when Couva South MP Rudy Indarsingh posed an urgent question to Gonzales on whether any of TSTT’s data was compromised, he responded by saying, “I can advise, Honourable Member, that based on the safety protocols that were triggered when the incursion was detected, that TSTT’s data and the data of its customers were not in any way compromised.”
He would later retract those statements in the media, leading Princes Town MP Barry Padarath to file a motion on December 13 to send Gonzales to the Privileges Committee for misleading the Parliament.
Gonzales, however, apologised over the matter to the House last Friday and no further action was taken against him.
Addressing TSTT officials during the meeting yesterday, JSC member Wade Mark said Gonzales had attributed all his statements on November 1 to TSTT. He thus asked for an explanation of who on TSTT’s executive management or board of directors had misled or mispresented information on the breach.
“Honourable member, the office of the CEO is responsible for all brand reputation statements. So, the CEO’s office is the one that issues any statement or authorises any statements to the public or to the board, especially in cases of a sensitive nature,” Western said.
Mark probed further, asking Western for clarification on whether that communication read in the parliamentary record was provided by former CEO Lisa Agard, who was fired in the fallout over how the breach was handled.
“Yes, honourable member, I will state in my view that the office that would issue that instruction or that notification would be the office of the CEO,” Western repeated.
However, Agard last evening retorted that this was not accurate. She said her only communique with the Minister on the matter was via WhatsApp on November 1. She said he requested information in response to the urgent question from the Opposition MP. A statement was subsequently prepared by the communications department after liaising with the networks and IT department before it was sent to the then CEO.
“Based on my recollection of events, what was actually said by the Minister in the Parliament was not what was actually prepared for him. What he quoted from in the Parliament, on the first of November, was from the public statement that TSTT had made on the 30th of October,” she explained.
JSC chair Anthony Vieira subsequently said Agard would be invited to respond to some of the statements made. Agard welcomed any opportunity to appear before the JSC to clarify the timeline of communication.
Asked if she felt like she was being used as a scapegoat, Agard said that was a question for the board to answer.
“I have no idea to this day why the board prematurely terminated my contract of employment and so, therefore, I think the proper entity to which you should address that question is the board of directors of TSTT,” she said.
Gonzales had no comment on the matter when contacted by Guardian Media yesterday.
Meanwhile, the current acting TSTT CEO also told the JSC that taxpayers paid close to a million dollars to data protection company CyberEye Limited in the aftermath of the breach. However, Western said a ransom was not paid to those who attacked its system.
“The initial cost was 975 thousand dollars, Trinidad and Tobago dollars. There was no ransom paid to RansomExx on the advice of our consultants and in keeping with industry guidance, we do not negotiate with terrorists or companies that position themselves in this role, as it further exposes the business,” Western said.
Check Point Software Technologies was also hired in 2022 but TSTT officials could not state how much was paid to the company for its services.
Part of the JSC session, where sensitive issues could be discussed, were also heard in-camera on TSTT’s request, which the panel agreed to.
An internal investigation into the breach, ordered by Minister Gonzales, is expected in 16 weeks.
Last year, on the heels of the breach, Guardian Media obtained scans which revealed that banking information for customers, companies, state enterprises and ministries was also released.
TSTT senior manager Tanya Muller told the JSC it was only “a couple” of cases where this information, including credit card details, was released. She said there were 531 files in particular that stored birth certificates, death certificates and credit card information that were ultimately leaked.
