Joel Julien

Massy Stores and Massy Dis­tri­b­u­tion Trinidad say that the da­ta un­law­ful­ly ac­cessed by hack­ers dur­ing a cy­ber at­tack in April was “more ex­ten­sive than the pre­lim­i­nary stages of the in­ves­ti­ga­tion in­di­cat­ed.”

“As such, and as a mat­ter of ur­gency, the com­pa­ny will be tak­ing steps to iden­ti­fy and no­ti­fy all ad­di­tion­al par­ties whose in­for­ma­tion may have been un­law­ful­ly ac­cessed,” Massy stat­ed in a re­lease yes­ter­day.

The Busi­ness Guardian yes­ter­day re­port­ed that Massy Stores is cur­rent­ly in­ves­ti­gat­ing claims that an in­ter­na­tion­al ran­somware group had dumped over 700,000 of its files, re­veal­ing the per­son­al in­for­ma­tion of staff and cus­tomers fol­low­ing a hack at­tack ear­li­er this year.

How­ev­er, it has now been re­vealed that more than five months af­ter that hack­ing in­ci­dent, a da­ta dump has oc­curred on the Hive dark web­site. That da­ta dump took place on Tues­day.

A cy­ber­se­cu­ri­ty ex­pert who ver­i­fied the doc­u­ments re­vealed that the Hive Ran­somware group had dumped 87,550 fold­ers and 704,047 cor­po­rate files al­leged­ly be­long­ing to Massy Stores. The ex­pert de­scribed it as “the largest Caribbean da­ta breach dump to date.”

Guardian Me­dia has been able to down­load sev­er­al of the doc­u­ments, which in­clud­ed wire trans­fer in­for­ma­tion, in­voic­es, cus­tomer ac­count num­bers and iden­ti­fi­ca­tion.

The hack­ers pub­licly dumped staff salaries, pho­tos, per­son­al de­tails and copies of cus­tomers’ pass­ports, as well as in­ter­nal au­dit doc­u­ments and oth­er fi­nan­cial in­for­ma­tion from the com­pa­ny.

On April 28, 2022, Massy Stores and Massy Dis­tri­b­u­tion Trinidad ex­pe­ri­enced a cy­ber-se­cu­ri­ty in­ci­dent.

In an up­date on their in­ves­ti­ga­tion of the mat­ter yes­ter­day, Massy stat­ed, “Re­spon­si­bil­i­ty, Hon­esty, and In­tegri­ty are core val­ues of the Massy Group that guide our op­er­a­tions, our peo­ple, and how we do busi­ness.

“We take very se­ri­ous­ly our du­ty to those we serve. Da­ta pri­va­cy and pro­tec­tion, as well as the oblig­a­tions we have as a da­ta con­troller in all coun­tries in which we op­er­ate, is para­mount. In re­sponse to the cy­ber-se­cu­ri­ty in­ci­dent, we im­me­di­ate­ly en­gaged ex­perts in the field to help in­ves­ti­gate. As part of the in­ci­dent re­sponse plan, we no­ti­fied all po­ten­tial­ly im­pact­ed par­ties of the in­ci­dent giv­en the in­for­ma­tion avail­able to us at the time.”

Massy stat­ed through con­tin­ued in­ves­ti­ga­tions of the cy­ber-se­cu­ri­ty in­ci­dent, it is now aware that the da­ta un­law­ful­ly ac­cessed by the at­tack­ers was more ex­ten­sive than the pre­lim­i­nary stages of the in­ves­ti­ga­tion in­di­cat­ed.

“We would like to cau­tion that much of the in­for­ma­tion be­ing shared pub­licly about this cy­ber-se­cu­ri­ty in­ci­dent is spec­u­la­tive and in­ac­cu­rate. We have cre­at­ed of­fi­cial chan­nels for com­mu­ni­ca­tion and en­cour­age any­one with con­cerns to con­tact us di­rect­ly via the chan­nels list­ed be­low,” Massy said.

“We thank our teams for their re­silience and com­mit­ment to be­ing of ser­vice. We al­so thank our stake­hold­ers who have trust­ed us for the past 100 years, as­sured that as com­pa­nies with­in the Massy Group, we will al­ways op­er­ate from a place of in­tegri­ty.”

It is be­lieved that the da­ta re­leased in the dump was used to ef­fect an­oth­er ran­somware at­tack on the Massy Group.

Five days af­ter the da­ta dump, Massy Ja­maica Dis­tri­b­u­tion Ltd was al­so the vic­tim of a re­cent ran­somware at­tack. Fol­low­ing that at­tack, 17 gi­ga­bytes of da­ta from Massy Ja­maica Dis­tri­b­u­tion was dumped on the in­ter­net on Oc­to­ber 9.