Major allegations were levelled against the board of the Telecommunications Services of Trinidad and Tobago (TSTT), with its former Chief Executive Officer (CEO) claiming the root cause of the October 9, 2023 cyberattack was not reported, while a former Chief Financial Officer claimed moves were made to undermine him to protect unnecessary spending.
The allegations came as former CEO Lisa Agard and former CFO Shiva Ramnarine appeared before a Joint Select Committee (JSC) of Parliament which sought to examine TSTT’s management of the cybersecurity breach of data before, during and after its occurrence on October 9, 2023.
During her opening statement, Agard brought up another breach which took place six days prior, which she said she was not informed of.
“Did TSTT misdirect, obfuscate in the Parliament on January 22, in explaining the root cause of the cyberattack?” Agard asked in reference to when members of TSTT’s executive appeared before a JSC on the same matter in January 2024.
Agard reminded the JSC that TSTT in January said the issue arose when the “threat actor” gained access to an admin’s password and that is how they were able to access TSTT’s environment. But Agard said there was an interim report that confirmed one account being a primary source of malicious activity as early as October 3rd that created multiple domain accounts with the same password between 5.45 am and 5.52 am on the same day.
“I heard the chairman (TSTT) say the attack took place on the 9th; all reports to the board or minister spoke of the incident occurring on October 9, 2023. However, it is clear that a significant breach or incursion happened on October 3, 2023. When did TSTT know about the breach? Did the internal TSTT admin not realise she had lost her credentials? That is a serious red flag in any IT operation,” Agard said.
She said that person is still employed by TSTT.
Agard also asked, “Was any escalation made to anyone in IT? If yes, then to whom and what date? And finally, why was the CEO (Agard at the time) not told about this breach that occurred on October 3, why did she have to see it in the Checkpoint Interim Report on the November 10? Why did all the communication to the CEO about the breach indicate that it occurred on October 9?”
In light of these allegations, JSC member Rudranath Indarsingh asked, “In your opinion, why was there a delay and was it done deliberately to undermine your office?”
Agard responded, “I can only surmise as to the reason why it was not brought to my attention. It was never communicated to me by the Networks and IT team in any form and any way. So, perhaps the question is better directed to TSTT as to why, as CEO, I was not informed that a major breach happened on the 3rd of October.”
Former CFO Shiva Ramnarine, who was also at yesterday’s JSC, blamed the company’s IT and Networks department for attempting to distort the truth and deflect responsibility.
“I hope this committee can examine the actions taken by several parties to deflect responsibility and evade accountability regarding this unfortunate event. Many companies have been victims of cyberattacks, however, this one at TSTT must be differentiated from such high-level sophisticated attacks. One can even question whether this attack rose out of sheer incompetence or was intentionally facilitated,” Ramnarine said.
Ramnarine’s response prompted Senator Wade Mark to question again if there was a clear attempt by internal and external forces to undermine TSTT as an institution with Agard and Ramnarine being casualties of that action.
Agard called on the JSC to draw its own conclusions from the evidence put before it, but she added, “It may well be that you conclude that there is an inescapable inference that there was undermining taking place in the organisation by how the networks and IT team responded to this entire situation, but I would prefer not to make that comment publicly.”
Ramnarine was more forthright with his answer and said, “Yes, it was at every front, at the board level.”
Ex-CFO: We were deliberately targeted
As CFO, Ramnarine said, he and Agard were the “new kids on the block” and were making cost-cutting decisions to ensure the sustainability of TSTT. These decisions, he said, ruffled the feathers of those who enjoyed the status quo.
Ramnarine said when he joined TSTT, the company was a loss-making entity with a $3 billion debt, rising with interest. Ramnarine said he did not blindly cut spending but implemented a process to manage it which “shocked” the organisation’s culture.
“Vendors were brought in to negotiate their rates, certain rates, for example $90 an hour. We brought Ernst and Young to look into that. Ernst and Young said the market rate was $50 an hour. Vendors’ profitability moved down by $36 million. TSTT saved $36 million from that one transaction.
“Was there animosity between vendor and TSTT? Absolutely? Relationships with board members and those vendors? Absolutely. The former CEO knows the threats I would have received from vendors, directly and indirectly.”
Ramnarine described his time at TSTT as “bizarre” and said for the first time in his career, cost-saving initiatives were met without favour and with discord.
“We needed to justify why we need to cut costs. In any other company, it is the other way around, in TSTT no, this was met with resistance,” Ramnarine added.
In January, Ramnarine was dismissed by TSTT.
Senator Indarsingh asked him what was the reason for his termination.
“TSTT made a decision to terminate my employment for no reason. It was a clause that I specifically requested be put into my contract. And that is to ensure that in the case of hostility or animosity, that we can both part ways amicably,” Ramnarine responded.
Indarsingh asked if it was linked to October 2023’s malware incursion.
“I would say that there was a great deal of disinformation being put out around my not approving spending which have been refuted and rubbished despite the attempt of the networks and IT teams and others to cloud the incompetence at play. I would say in hindsight that played a significant role but because it was a termination for no reason, I cannot say specifically what that would be,” Ramnarine answered.
TSTT chairman Sean Roach did not immediately respond to questions sent via text message, nor did he answer Guardian Media’s calls yesterday.
Meanwhile, Public Utilities Minister Marvin Gonzales said he was waiting for the completion of the probe he requested into the October 2023 incident before commenting further. He expects that to be ready in March.
Gonzales was responding to questions sent by Guardian Media regarding statements made by Agard over this statement in Parliament on November 1, where he was accused of misleading the House on the severity of the October 9 TSTT data breach.
Agard yesterday again underscored that what the Public Utilities Minister read in the house did not come from her but instead a letter which was sent to TSTT’s enterprise customers. She said in her response to the Minister via WhatsApp, there was nothing that said TSTT’s data and the data of its customers were not in any way compromised.