Ma­jor al­le­ga­tions were lev­elled against the board of the Telecom­mu­ni­ca­tions Ser­vices of Trinidad and To­ba­go (TSTT), with its for­mer Chief Ex­ec­u­tive Of­fi­cer (CEO) claim­ing the root cause of the Oc­to­ber 9, 2023 cy­ber­at­tack was not re­port­ed, while a for­mer Chief Fi­nan­cial Of­fi­cer claimed moves were made to un­der­mine him to pro­tect un­nec­es­sary spend­ing.

The al­le­ga­tions came as for­mer CEO Lisa Agard and for­mer CFO Shi­va Ram­nar­ine ap­peared be­fore a Joint Se­lect Com­mit­tee (JSC) of Par­lia­ment which sought to ex­am­ine TSTT’s man­age­ment of the cy­ber­se­cu­ri­ty breach of da­ta be­fore, dur­ing and af­ter its oc­cur­rence on Oc­to­ber 9, 2023.

Dur­ing her open­ing state­ment, Agard brought up an­oth­er breach which took place six days pri­or, which she said she was not in­formed of.

“Did TSTT mis­di­rect, ob­fus­cate in the Par­lia­ment on Jan­u­ary 22, in ex­plain­ing the root cause of the cy­ber­at­tack?” Agard asked in ref­er­ence to when mem­bers of TSTT’s ex­ec­u­tive ap­peared be­fore a JSC on the same mat­ter in Jan­u­ary 2024.

Agard re­mind­ed the JSC that TSTT in Jan­u­ary said the is­sue arose when the “threat ac­tor” gained ac­cess to an ad­min’s pass­word and that is how they were able to ac­cess TSTT’s en­vi­ron­ment. But Agard said there was an in­ter­im re­port that con­firmed one ac­count be­ing a pri­ma­ry source of ma­li­cious ac­tiv­i­ty as ear­ly as Oc­to­ber 3rd that cre­at­ed mul­ti­ple do­main ac­counts with the same pass­word be­tween 5.45 am and 5.52 am on the same day.

“I heard the chair­man (TSTT) say the at­tack took place on the 9th; all re­ports to the board or min­is­ter spoke of the in­ci­dent oc­cur­ring on Oc­to­ber 9, 2023. How­ev­er, it is clear that a sig­nif­i­cant breach or in­cur­sion hap­pened on Oc­to­ber 3, 2023. When did TSTT know about the breach? Did the in­ter­nal TSTT ad­min not re­alise she had lost her cre­den­tials? That is a se­ri­ous red flag in any IT op­er­a­tion,” Agard said.

She said that per­son is still em­ployed by TSTT.

Agard al­so asked, “Was any es­ca­la­tion made to any­one in IT? If yes, then to whom and what date? And fi­nal­ly, why was the CEO (Agard at the time) not told about this breach that oc­curred on Oc­to­ber 3, why did she have to see it in the Check­point In­ter­im Re­port on the No­vem­ber 10? Why did all the com­mu­ni­ca­tion to the CEO about the breach in­di­cate that it oc­curred on Oc­to­ber 9?”

In light of these al­le­ga­tions, JSC mem­ber Rudranath In­dars­ingh asked, “In your opin­ion, why was there a de­lay and was it done de­lib­er­ate­ly to un­der­mine your of­fice?”

Agard re­spond­ed, “I can on­ly sur­mise as to the rea­son why it was not brought to my at­ten­tion. It was nev­er com­mu­ni­cat­ed to me by the Net­works and IT team in any form and any way. So, per­haps the ques­tion is bet­ter di­rect­ed to TSTT as to why, as CEO, I was not in­formed that a ma­jor breach hap­pened on the 3rd of Oc­to­ber.”

For­mer CFO Shi­va Ram­nar­ine, who was al­so at yes­ter­day’s JSC, blamed the com­pa­ny’s IT and Net­works de­part­ment for at­tempt­ing to dis­tort the truth and de­flect re­spon­si­bil­i­ty.

“I hope this com­mit­tee can ex­am­ine the ac­tions tak­en by sev­er­al par­ties to de­flect re­spon­si­bil­i­ty and evade ac­count­abil­i­ty re­gard­ing this un­for­tu­nate event. Many com­pa­nies have been vic­tims of cy­ber­at­tacks, how­ev­er, this one at TSTT must be dif­fer­en­ti­at­ed from such high-lev­el so­phis­ti­cat­ed at­tacks. One can even ques­tion whether this at­tack rose out of sheer in­com­pe­tence or was in­ten­tion­al­ly fa­cil­i­tat­ed,” Ram­nar­ine said.

Ram­nar­ine’s re­sponse prompt­ed Sen­a­tor Wade Mark to ques­tion again if there was a clear at­tempt by in­ter­nal and ex­ter­nal forces to un­der­mine TSTT as an in­sti­tu­tion with Agard and Ram­nar­ine be­ing ca­su­al­ties of that ac­tion.

Agard called on the JSC to draw its own con­clu­sions from the ev­i­dence put be­fore it, but she added, “It may well be that you con­clude that there is an in­escapable in­fer­ence that there was un­der­min­ing tak­ing place in the or­gan­i­sa­tion by how the net­works and IT team re­spond­ed to this en­tire sit­u­a­tion, but I would pre­fer not to make that com­ment pub­licly.”

Ram­nar­ine was more forth­right with his an­swer and said, “Yes, it was at every front, at the board lev­el.”

Ex-CFO: We were de­lib­er­ate­ly tar­get­ed

As CFO, Ram­nar­ine said, he and Agard were the “new kids on the block” and were mak­ing cost-cut­ting de­ci­sions to en­sure the sus­tain­abil­i­ty of TSTT. These de­ci­sions, he said, ruf­fled the feath­ers of those who en­joyed the sta­tus quo.

Ram­nar­ine said when he joined TSTT, the com­pa­ny was a loss-mak­ing en­ti­ty with a $3 bil­lion debt, ris­ing with in­ter­est. Ram­nar­ine said he did not blind­ly cut spend­ing but im­ple­ment­ed a process to man­age it which “shocked” the or­gan­i­sa­tion’s cul­ture.

“Ven­dors were brought in to ne­go­ti­ate their rates, cer­tain rates, for ex­am­ple $90 an hour. We brought Ernst and Young to look in­to that. Ernst and Young said the mar­ket rate was $50 an hour. Ven­dors’ prof­itabil­i­ty moved down by $36 mil­lion. TSTT saved $36 mil­lion from that one trans­ac­tion.

“Was there an­i­mos­i­ty be­tween ven­dor and TSTT? Ab­solute­ly? Re­la­tion­ships with board mem­bers and those ven­dors? Ab­solute­ly. The for­mer CEO knows the threats I would have re­ceived from ven­dors, di­rect­ly and in­di­rect­ly.”

Ram­nar­ine de­scribed his time at TSTT as “bizarre” and said for the first time in his ca­reer, cost-sav­ing ini­tia­tives were met with­out favour and with dis­cord.

“We need­ed to jus­ti­fy why we need to cut costs. In any oth­er com­pa­ny, it is the oth­er way around, in TSTT no, this was met with re­sis­tance,” Ram­nar­ine added.

In Jan­u­ary, Ram­nar­ine was dis­missed by TSTT.

Sen­a­tor In­dars­ingh asked him what was the rea­son for his ter­mi­na­tion.

“TSTT made a de­ci­sion to ter­mi­nate my em­ploy­ment for no rea­son. It was a clause that I specif­i­cal­ly re­quest­ed be put in­to my con­tract. And that is to en­sure that in the case of hos­til­i­ty or an­i­mos­i­ty, that we can both part ways am­i­ca­bly,” Ram­nar­ine re­spond­ed.

In­dars­ingh asked if it was linked to Oc­to­ber 2023’s mal­ware in­cur­sion.

“I would say that there was a great deal of dis­in­for­ma­tion be­ing put out around my not ap­prov­ing spend­ing which have been re­fut­ed and rub­bished de­spite the at­tempt of the net­works and IT teams and oth­ers to cloud the in­com­pe­tence at play. I would say in hind­sight that played a sig­nif­i­cant role but be­cause it was a ter­mi­na­tion for no rea­son, I can­not say specif­i­cal­ly what that would be,” Ram­nar­ine an­swered.

TSTT chair­man Sean Roach did not im­me­di­ate­ly re­spond to ques­tions sent via text mes­sage, nor did he an­swer Guardian Me­dia’s calls yes­ter­day.

Mean­while, Pub­lic Util­i­ties Min­is­ter Mar­vin Gon­za­les said he was wait­ing for the com­ple­tion of the probe he re­quest­ed in­to the Oc­to­ber 2023 in­ci­dent be­fore com­ment­ing fur­ther. He ex­pects that to be ready in March.

Gon­za­les was re­spond­ing to ques­tions sent by Guardian Me­dia re­gard­ing state­ments made by Agard over this state­ment in Par­lia­ment on No­vem­ber 1, where he was ac­cused of mis­lead­ing the House on the sever­i­ty of the Oc­to­ber 9 TSTT da­ta breach.

Agard yes­ter­day again un­der­scored that what the Pub­lic Util­i­ties Min­is­ter read in the house did not come from her but in­stead a let­ter which was sent to TSTT’s en­ter­prise cus­tomers. She said in her re­sponse to the Min­is­ter via What­sApp, there was noth­ing that said TSTT’s da­ta and the da­ta of its cus­tomers were not in any way com­pro­mised.