BitDepth#1432

Mark Lyndersay

THE TSTT data breach that went public on October 27 might have been the noisiest consequence of a cyberattack that TT has experienced, but it wasn't the first.

In the case of the ANSA McAL, Massy, Port of Spain City Corporation, Attorney General's Office breaches, along with two others that I know of that were never made public, the saving grace was that the punitive dump of data was never widely distributed.

By last week, roughly eight days after I broke the story on October 28, the 6GB of exfiltrated files had moved beyond the dark web to file-sharing sites on the open internet.

The incident descended into debacle, as the facts, available for review by anyone with the skill or determination to do so, were vigorously denied by TSTT.

It seemed inconceivable to me that nobody saw the problem, and the statements from the Minister of Public Utilities and TSTT flew so blatantly in the face of the facts as to be insulting.

One aspect of this remains an issue of concern. In the face of general apathy about the data breach, mainstream media and online commenters increasingly sought more colourful illustrations of the issue, including displays of unredacted personal information.

The laws that should govern the handling of misappropriated information are still frozen in the parts of the Data Protection Act that have not been brought into local law, but common sense should have moderated some of the more outrageous reporting and demonstrative sharing that characterised an effort to draw more national attention to the issues raised by the breach.

One of the reasons that the act was never fully proclaimed was a vigorous and sustained objection by local media to the chilling effect on reporting that would have resulted from the legislation as originally drafted.

It is important for journalists to view and confirm information before reporting it to the wider public, even if the documents are too sensitive to be widely shared.

If everyone is saying the sky is blue, it's the journalist's job to always open the window and look. If the laws deny that basic precept, they neuter a fundamental facet of journalism and its importance to the public interest.

Who knows how much sensitive personally identifiable information (PII) has already been bobbing around on the dark web as a result of previously reported local data breaches we haven't seen the scope of and those that we don't know anything about.

If nothing else, the widespread enthusiasm of the last two weeks makes it clear that laws are needed, but they must establish parameters that allow practising journalist to evaluate and inform the public, compel companies to disclose the nature and scale of data lost and penalise carelessness in data gathering, management and security.

TSTT's handling of this incident was disgraceful, but not surprising. In November 2019, I wrote a story about the fragile state of the company's back office accounting software (https://cstu.io/58267e).

I was told that TSTT was not happy