The Telecommunications Services of Trinidad and Tobago recently experienced a cyberattack resulting in the theft of personal data for over a million customers. But in the aftermath, the company has been bungling its handling of the incident. In this article, we highlight early takeaways.
In late October/early November, news began to emerge that the incumbent telecoms company in Trinidad and Tobago, the Telecommunications Services of Trinidad and Tobago (TSTT), had experienced a cyberattack and the theft of large volumes of data. At first, the company vehemently denied that its systems had been breached, and stated that there was no loss of customer data, with the public utilities minister also chiming in in support of TSTT.
However, amid the denial, the hackers released 6GB of the stolen data categorically refuting the claims made by TSTT. But the company, though subsequently admitting to the breach still held firm that “there was no loss, manipulation or compromise of customer data from its databases”.
With the stolen data publicly available, members of the Trinidad and Tobago tech community, such as Mark Lyndersay and Keron Rose, started to agitate not only about the erroneous claims and assurances being made by TSTT but also the fact that the personal and confidential datasets for millions of consumers had been stolen. At the time of writing, it is evident that the fallout has begun. The Minister has ordered a thorough investigation into the matter, the head of the workers’ union is calling for senior executives at TSTT to be sacked, whilst consumers are starting to come to terms with how much they have been exposed and immediate remedies that can be pursued.
Although we may be months away from understanding the full impact and the consequences of the TSTT breach, there are still some early takeaways that can be made.
1. Transparency and honesty are crucial in managing the fallout
Trust is the foundation of any successful business. When a company falls victim to a cyberattack, how it responds can have a significant impact on the level of trust customers, partners and other stakeholders have in the organisation.
Often, incumbent telecoms providers, such as TSTT, are not seen in a positive light by consumers, and so from the outset, there would have been questionable trust. Further, in flat-out denying the data leak and then when forced into a corner having to backtrack on its earlier position, it can be argued that TSTT demonstrated a lack of honesty and integrity. Moreover, those efforts were most likely being done to try to protect its reputation, but in fact, has damaged its reputation and consumer trust and confidence more than it had been before.
2. Denial is not an effective crisis management strategy
Second, an important lesson organisations should learn from TSTT’s approach is that denial as a means of damage control and reputation protection can be one of the fastest ways of losing control of a situation. Cyberattacks and breaches have become increasingly sophisticated and so there is a general acceptance that it is no longer ‘if’, but ‘when’ an incident will occur.
As a result, since it may now be near impossible to avoid a cyberattack, there is a growing emphasis on crisis management and cyber resilience. However, from all indications, it appears that these strategies are underdeveloped at TSTT, as very little has been shared about the steps the organisation has been taking to address matter, and being truthful about the data loss that has incurred.
3. Weak data protection laws locally do not necessarily reduce culpability
Finally, in many jurisdictions, businesses are legally obligated to disclose cyberattacks and data breaches promptly. Like most Caribbean countries, Trinidad and Tobago has data protection legislation, but it would be dated, having been promulgated in 2011, and is unlikely to be fully aligned with current best practices in the field. However, more crucially, the 2011 law still has not been fully implemented 12 years later.
For example, although the country’s Data Protection Act makes provision for the establishment of an Office of the Information Commissioner, that office has not yet been created. As a result, and in all of the discourse on the data leak that has occurred, key requirements and processes under the Act have not been fully operationalised and cannot be relied upon.
However, although a weak data protection framework exists locally, TSTT and by extension Trinidad and Tobago, ought to be concerned about the extraterritorial reach of other laws, such as the European Union (EU) General Data Protection Regulation (GDPR), which seeks to protect data belonging to EU citizens and residents.
From all reports, EU citizens’ and residents’ personal data were included in the data breach. However, based on how the incident has been handled by TSTT so far – especially concerning reporting, advising affected parties and overall managing the situation – TSTT could find itself in the crosshairs of the GDPR and the hefty fines that could be incurred.
Image credit: DCStudio (Freepik)