Pub­lic Util­i­ties Min­is­ter Mar­vin Gon­za­les said that the Terms of Ref­er­ence (TOR) for an in­ves­ti­ga­tion in­to the Oc­to­ber 9 da­ta breach at the Telecom­mu­ni­ca­tions Ser­vices of Trinidad and To­ba­go (TSTT) is still be­ing fi­nalised and the com­pa­ny tasked to con­duct the in­ves­ti­ga­tion should be on board in the next two to three weeks.

“Once they are on board, it should take two to three months to com­plete,” he told Guardian Me­dia.

Gon­za­les said that an in­ter­nal in­ves­ti­ga­tion was still be­ing com­plet­ed with sup­port from a for­eign team.

TSTT has al­ready en­gaged the ser­vices of a lo­cal in­de­pen­dent cy­ber­se­cu­ri­ty com­pa­ny Cy­ber­Eye, which is af­fil­i­at­ed to Cross­word Cy­ber­se­cu­ri­ty Plc in the Unit­ed King­dom, to do a root cause and log analy­sis, se­cure re-en­able­ment, as­sess the ef­fec­tive­ness of TSTT’s cur­rent cy­ber­se­cu­ri­ty con­trols for pro­tect­ing its in­for­ma­tion as­set against cy­ber threats and fi­nal­ly, threat mon­i­tor­ing and de­tec­tion as part of its in­ter­nal in­ves­ti­ga­tion.

But the ex­ter­nal in­ves­ti­ga­tion, man­dat­ed by Gon­za­les, will be made pub­lic when it is com­plet­ed.

“They want­ed more time but we told them it had to be done as soon as pos­si­ble,” he said.

The cy­ber­breach at­tack on TSTT oc­curred on Oc­to­ber 9 at 4.18 pm but was on­ly made pub­lic on Oc­to­ber 27, af­ter Fal­con Feeds, an In­dia-based tech­nol­o­gy se­cu­ri­ty com­pa­ny, re­port­ed on its X so­cial me­dia ac­count that ran­somware group, Ran­somExx, added TSTT (http://tstt.co.tt) to its vic­tim’s list. It claimed to have ac­cess to 6GB of da­ta.

On Oc­to­ber 28, TSTT said in a state­ment, that there was no com­pro­mise of cus­tomer da­ta but added that it had not cor­rob­o­rat­ed in­for­ma­tion in the pub­lic do­main pur­port­ed to be cus­tomer in­for­ma­tion.

How­ev­er, af­ter cy­ber­se­cu­ri­ty ex­perts went dig­ging in­to the da­ta and made their dis­cov­er­ies pub­lic, the com­pa­ny is­sued an­oth­er state­ment.

On No­vem­ber 3, TSTT ad­mit­ted that 6GB, or less than one per cent of the petabytes of the com­pa­ny’s da­ta, was ac­cessed but that the ma­jor­i­ty of its cus­tomers’ da­ta was not ac­quired and no pass­words were com­pro­mised.

But Guardian Me­dia learnt and re­port­ed that some of the coun­try’s top of­fi­cials, Prime Min­ster Dr Kei­th Row­ley, Pres­i­dent Chris­tine Kan­ga­loo, Chief Jus­tice Ivor Archie, Fi­nance Min­is­ter Colm Im­bert, Na­tion­al Se­cu­ri­ty Min­is­ter Fitzger­ald Hinds, Po­lice Com­mis­sion­er Er­la Hare­wood-Christo­pher and Pub­lic Util­i­ties Min­is­ter Mar­vin Gon­za­les are all in­clud­ed in a list of peo­ple found in doc­u­ments down­loaded from the dark web from TSTT’s da­ta breach.

And de­spite a de­nial by TSTT, Guardian Me­dia ob­tained scans with cred­it card in­for­ma­tion, as well as bank ac­count num­bers, in­clud­ed in the 6GB da­ta bun­dle. Among the scans were bank­ing in­for­ma­tion for cus­tomers, com­pa­nies, State en­ter­pris­es, and min­istries as well as cred­it card num­bers in trans­ac­tion re­ceipts. There were al­so for­eign ID cards and doc­u­ments in the dump.

The list con­tained 1.2 mil­lion en­tries.

For­mer CEO Lisa Agard sub­se­quent­ly apol­o­gised to the com­pa­ny’s cus­tomers whose da­ta was stolen and ex­pressed re­gret for the way the com­pa­ny han­dled its com­mu­ni­ca­tion fol­low­ing the ­cy­ber­at­tack at an in­vestor brief­ing on No­vem­ber 10.

How­ev­er, the TSTT board fired her three days lat­er and ap­point­ed Kent West­ern, TSTT’s for­mer Gen­er­al Man­ag­er of Cus­tomer Ex­pe­ri­ence, as act­ing chief ex­ec­u­tive.