BitDepth#1433

Mark Lyndersay

NOW THAT the furore, at least in the media, about the TSTT hack has largely subsided, perhaps it's time to think about why the incident loomed so large in the public consciousness.

It can't be just the fact of the data breach. There were breaches before and breaches right after that didn't raise that level of alarm.

Eighteen days after the story broke, TSTT CEO Lisa Agard was reported, in the words of a company press release, to have 'departed.'

Placed in an acting role is Kent Western, abruptly promoted from the post of general manager, customer experience and marketing, who must now make sense of the situation.

What went wrong, or was so dramatically different from previous data breaches?

The data went public.

TSTT chose to downplay the significance of the breach by declaring the 6GB data haul to be insignificant compared to the terabytes of data it manages daily.

But the size of the data made accessing and working with it possible for even casual users.

Unfortunately, too, the stolen files were not encrypted. Encryption makes data unreadable without a password and protects with varying levels of complexity.

The size of some of the exfiltrated files and nature of the data encoding, designed to be read by an Oracle database, meant that it was impossible to review the largest files in their entirety using commonly available tools. There was enough there to send ordinary citizens into a tizzic.

The small size of the files also allowed them to be widely distributed after they were eventually downloaded from the dark web and posted to open internet file-sharing sites, and that brought further inspection, some of it admittedly both hysterical and ill-advised.

The communication was a hot mess.

Even in her final public communication in a full-page press statement, TSTT's CEO seemed to be blaming the poor messaging on everyone except herself.

It's hard to imagine Agard, a lawyer, allowing any statement from the company to be sent if it did not have her unequivocal approval, and what she approved was dense with legal caveats, evasiveness and misdirection.

The releases on October 30 and November 5 were not communication with anxious customers. They were a clumsy attempt to change the conversation, but nobody had time for that.

When news broke just seven days later that a 2021 data breach of Digicel Group data had been found by Jamaican cybersecurity investigators, two things stopped that news from commanding headlines.

Digicel could point to a press release disclosing what had happened days after the data went live, and, at 164.55GB, it was impenetrably encoded for distribution. The file was archived on the dark web in 337 segments, each 500MB in size. All the archive segments had to be downloaded and then reassembled for access. A daunting task at best.

Misunderstanding

the stakeholders

TSTT's communications during the heat of the incident first denied any impact on its customers, then sought to downplay potential