Over one million TSTT customer records on dark webOver one million records of personal information belonging to customers in the Telecommunications Services of Trinidad and Tobago’s (TSTT) database have been dumped on the dark web, contrary to the company’s assertion that the data was not compromised in a cyberattack.
Over the weekend, international hackers Ransomexx announced that they infected TSTT with ransomware and stole as many as six gigabytes (GB) of its data, including names, e-mail addresses, national ID numbers, phone numbers and “a lot of other sensitive data”.
TSTT issued a statement saying that at the onset of the threat, its incident response processes were “swiftly activated”.
However, IT experts said the data leak is on a large scale and customers’ information as well as TSTT’s private information about its operations are all on the dark web.
Caribbean Communications Network (CCN—Express and TV6) IT head Keenan Martinez said yesterday he estimated over a million records in total were leaked online.
“I can confirm based on the examination of the data by the Ransomexx group that personal information is accessible and has been leaked,” he said.
He said about four databases are accessible to the public for downloading.
The leaked information includes people’s names, addresses, telephone numbers, identification card information, and driver’s licence details.
He said there are folders containing scanned documents such as letters of transfer of authority or ownership, as well as photos of identification cards.
Martinez said of major concern is the leak of TSTT’s operational information and all the credentials for TSTT’s Mausica data centre.
Cyber security strategiesAsked whether he considered this a major security breach, Martinez said: “Definitely. I would. I believe it is a major concern for consumers because persons’ personal information is on the web, that information can be used by malicious persons for fraud. They can target persons in terms of where they are living,” he said.
Martinez explained that to access this information, a person would need to use a “TOR” browser and locate the link.
“You cannot use a regular Google Chrome browser and put in an URL in there and access the content,” he said.
He said he did not see any financial information such as credit card numbers.
These ransomware groups use a “TOR” browser that allows one to access dark web content. He said a person would need to search for the URL’s location.
“Once they gain access to that URL, they would see many other companies that have been breached by that Ransomexx group, one of the first lines you see is TSTT Breach. When you click on it you get a synopsis of the data, you will also see a link to be able to download the content and they have it broken up into three or four parts,” he said.
He explained that Ransomexx is a group that hacks into company systems and demands a ransom to be paid by threatening to release confidential information.
The ransom, he said, is paid through various avenues, including cryptocurrency such as Bitcoin, among others.
Asked how one removes the data from the dark web, Martinez said:
“One cannot. Initially, when a Ransomexx group targets a company—it’s either you pay them what they are asking for, or they post the data online,” he said.
He said there is no way to stop other hackers or people from downloading and taking the personal data.
Companies, he said, should focus on cybersecurity strategies that protect against cyberattacks. He said companies should refrain from paying ransoms because there have been reports of different ransom groups collaborating to share information.
“So Ransomexx group A would get funds from the company and then pass on the information to Ransomexx group B,” he said, adding that the cycle continues.
Massive finesEnterprise risk and security consultant and owner of the Computer Forensics and Security Institute (CFSI) Shiva Parasram told the Express yesterday that criminals can access this information and target people.
“It is incredibly dangerous because now somebody can call you and say ‘we have your information, I am from TSTT, we want to send somebody to check your Internet, your router, your phone, they coming to your house’. They have all your information,” he said.
He said under the European Union, if a company does not disclose a breach in 72 hours, they have massive fines to face.
“If TSTT was under the EU they would probably have to close down based on the fine alone,” he said.
He said TSTT cannot get rid of the information from the dark web, but it can seek help from international companies at an exorbitant price to try to “scrub” the information—but this is tricky because hundreds of thousands of people and hackers can download the information.
“We are seeing passwords and people’s ID card numbers and private information. So anyone can go on the dark web and access the information,” he said.
He said there are files to indicate whether people pay with card or cash.
He explained that “TOR” is virtual private browser that hides one’s identity when in accessing the dark web and anyone can use this to access this leaked information.
“There are passwords for TSTT’s internal system as well on there, so I have no clue how they can downplay this and say it is not a breach,” he said.
What TSTT said:Attempts to reach TSTT for comment yesterday were futile, but in a media release, on October 30, the company confirmed it was the victim of a cyberattack, but said “there was no loss or compromise of customer data, ie, no data was deleted from TSTT’s databases or manipulated”.
TSTT said it cannot confirm whether the information revealed by Ransomexx is their customer data.
“At this time, the company has not corroborated data currently in the public domain purported to be TSTT’s customer information, and it should be noted that the various TSTT platforms generate terabytes of data,” TSTT stated in the media release. According to TSTT, on October 9, cyberattackers attempted to gain unauthorised access to its systems.
“Cyber threats of this nature are a continuous feature of modern digital operating systems, and telecommunications infrastructure is no exception to these threats and incursions. TSTT has continuously invested resources in the millions of dollars in its processes and IT infrastructure to protect its systems and the data it produces and stores,” it said.
TSTT said at the onset of the threat, its incident response processes were “swiftly activated”.
Internationally-recognised cybersecurity experts were also enlisted to help deal with the problem, TSTT said.
“The company took immediate steps to minimise the security vulnerability, successfully isolating its systems and applications. These applications were subsequently quarantined, rebuilt and put back into production as part of clearly defined policies and procedures. The company also enlisted the support of internationally-recognised cyber security experts and partners in investigating the attempted breach and advising on the implementation of appropriate additional security measures and protocols. Some of these recommendations have already been implemented,” it stated.
https://trinidadexpress.com/news/local/ ... 1013c.html