{"id":169385,"date":"2023-11-10T05:45:00","date_gmt":"2023-11-10T10:45:00","guid":{"rendered":"https:\/\/www.ict-pulse.com\/?p=169385"},"modified":"2023-11-10T05:53:07","modified_gmt":"2023-11-10T10:53:07","slug":"3-early-takeaways-from-the-tstt-cyberattack","status":"publish","type":"post","link":"https:\/\/ict-pulse.com\/2023\/11\/3-early-takeaways-from-the-tstt-cyberattack\/","title":{"rendered":"3 early takeaways from the TSTT cyberattack"},"content":{"rendered":"\n

The Telecommunications Services of Trinidad and Tobago recently experienced a cyberattack resulting in the theft of personal data for over a million customers. But in the aftermath, the company has been bungling its handling of the incident. In this article, we highlight early takeaways.<\/em><\/p>\n\n\n\n

 <\/p>\n\n\n\n

In late October\/early November, news began to emerge that the incumbent telecoms company in Trinidad and Tobago, the Telecommunications Services of Trinidad and Tobago (TSTT), had experienced a cyberattack and the theft of large volumes of data. At first, the company vehemently denied that its systems had been breached, and stated that there was no loss of customer data, with the public utilities minister also chiming in in support of TSTT.<\/p>\n\n\n\n

However, amid the denial, the hackers released 6GB of the stolen data categorically refuting the claims made by TSTT. But the company, though subsequently admitting to the breach still held firm<\/a> that \u201cthere was no loss, manipulation or compromise of customer data from its databases<\/em>\u201d.<\/p>\n\n\n\n

With the stolen data publicly available, members of the Trinidad and Tobago tech community, such as Mark Lyndersay and Keron Rose, started to agitate not only about the erroneous claims and assurances being made by TSTT but also the fact that the personal and confidential datasets for millions of consumers had been stolen. At the time of writing, it is evident that the fallout has begun. The Minister has ordered a thorough investigation into the matter, the head of the workers\u2019 union is calling for senior executives at TSTT to be sacked, whilst consumers are starting to come to terms with how much they have been exposed and immediate remedies that can be pursued.<\/p>\n\n\n\n

Although we may be months away from understanding the full impact and the consequences of the TSTT breach, there are still some early takeaways that can be made.<\/p>\n\n\n\n

 <\/p>\n\n\n\n

1.  Transparency and honesty are crucial in managing the fallout  <\/h2>\n\n\n\n

Trust is the foundation of any successful business. When a company falls victim to a cyberattack, how it responds can have a significant impact on the level of trust customers, partners and other stakeholders have in the organisation.<\/p>\n\n\n\n

Often, incumbent telecoms providers, such as TSTT, are not seen in a positive light by consumers, and so from the outset, there would have been questionable trust. Further, in flat-out denying the data leak and then when forced into a corner having to backtrack on its earlier position, it can be argued that TSTT demonstrated a lack of honesty and integrity. Moreover, those efforts were most likely being done to try to protect its reputation, but in fact, has damaged its reputation and consumer trust and confidence more than it had been before.<\/p>\n\n\n\n

 <\/p>\n\n\n\n

2.  Denial is not an effective crisis management strategy<\/h2>\n\n\n\n

Second, an important lesson organisations should learn from TSTT\u2019s approach is that denial as a means of damage control and reputation protection can be one of the fastest ways of losing control of a situation. Cyberattacks and breaches have become increasingly sophisticated and so there is a general acceptance that it is no longer \u2018if\u2019, but \u2018when\u2019 an incident will occur. <\/p>\n\n\n\n

As a result, since it may now be near impossible to avoid a cyberattack, there is a growing emphasis on crisis management and cyber resilience. However, from all indications, it appears that these strategies are underdeveloped at TSTT, as very little has been shared about the steps the organisation has been taking to address matter, and being truthful about the data loss that has incurred.<\/p>\n\n\n\n

 <\/p>\n\n\n\n

3.  Weak data protection laws locally do not necessarily reduce culpability<\/h2>\n\n\n\n

Finally, in many jurisdictions, businesses are legally obligated to disclose cyberattacks and data breaches promptly. Like most Caribbean countries, Trinidad and Tobago has data protection legislation, but it would be dated, having been promulgated in 2011, and is unlikely to be fully aligned with current best practices in the field. However, more crucially, the 2011 law still has not been fully implemented 12 years later.<\/p>\n\n\n\n

For example, although the country\u2019s Data Protection Act makes provision for the establishment of an Office of the Information Commissioner, that office has not yet been created. As a result, and in all of the discourse on the data leak that has occurred, key requirements and processes under the Act have not been fully operationalised and cannot be relied upon.<\/p>\n\n\n\n

However, although a weak data protection framework exists locally, TSTT and by extension Trinidad and Tobago, ought to be concerned about the extraterritorial reach of other laws, such as the European Union (EU) General Data Protection Regulation (GDPR), which seeks to protect data belonging to EU citizens and residents. <\/p>\n\n\n\n

From all reports, EU citizens\u2019 and residents\u2019 personal data were included in the data breach. However, based on how the incident has been handled by TSTT so far \u2013 especially concerning reporting, advising affected parties and overall managing the situation \u2013 TSTT could find itself in the crosshairs of the GDPR and the hefty fines that could be incurred.<\/p>\n\n\n\n

 <\/p>\n\n\n\n

 <\/p>\n\n\n\n

Image credit:  DCStudio (Freepik<\/a>)<\/em><\/p>\n\n\n\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

The Telecommunications Services of Trinidad and Tobago recently experienced a cyberattack resulting in the theft of personal data for over a million customers. But in the aftermath, the company has been bungling its handling of the incident. In this article, we highlight early takeaways.<\/p>\n","protected":false},"author":2,"featured_media":169387,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"off","_et_pb_old_content":"","_et_gb_content_width":"","om_disable_all_campaigns":false,"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false},"version":2}},"categories":[11],"tags":[71,105,34],"class_list":["post-169385","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ict-tech","tag-businesses","tag-cybercrimecybersecurity","tag-lists-2","et-has-post-format-content","et_post_format-et-post-format-standard"],"jetpack_publicize_connections":[],"aioseo_notices":[],"jetpack_sharing_enabled":true,"jetpack_featured_media_url":"https:\/\/i0.wp.com\/ict-pulse.com\/wp-content\/uploads\/2023\/11\/Computer-monitor-showing-hacked-system-alert-message-DCStudio-freepik.jpg?fit=1024%2C576&ssl=1","jetpack_shortlink":"https:\/\/wp.me\/p2iE1G-I41","jetpack-related-posts":[],"_links":{"self":[{"href":"https:\/\/ict-pulse.com\/wp-json\/wp\/v2\/posts\/169385","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ict-pulse.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ict-pulse.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ict-pulse.com\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/ict-pulse.com\/wp-json\/wp\/v2\/comments?post=169385"}],"version-history":[{"count":4,"href":"https:\/\/ict-pulse.com\/wp-json\/wp\/v2\/posts\/169385\/revisions"}],"predecessor-version":[{"id":169393,"href":"https:\/\/ict-pulse.com\/wp-json\/wp\/v2\/posts\/169385\/revisions\/169393"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ict-pulse.com\/wp-json\/wp\/v2\/media\/169387"}],"wp:attachment":[{"href":"https:\/\/ict-pulse.com\/wp-json\/wp\/v2\/media?parent=169385"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ict-pulse.com\/wp-json\/wp\/v2\/categories?post=169385"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ict-pulse.com\/wp-json\/wp\/v2\/tags?post=169385"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}