“Fabrication” and “deception”.
Those were the words used by TSTT’s former CEO, Lisa Agard, as she accused her successor Kent Western of deceiving the company’s line minister and suggested that he apologise publicly for misleading the Joint Select Committee (JSC) and the public on details relevant to the cybersecurity attack last October.
Speaking before a JSC on State Enterprises on Monday, Agard criticised the TSTT board, which she said forbade her from speaking to the public, without its approval, after November 6, in the wake of the cybersecurity attack.
According to Agard, a major cyberattack first occurred October 3.
However, TSTT, in all its communications with the public, the Minister of Public Utilities, the National Security Council, referred to the cyberattack first happening on October 9.
She said she herself only learned about the October 3 attack on November 11 when she read it in a Checkpoint Report.
JSC member Wade Mark said he was “mystified” that a malware incursion took place at TSTT on October 3 and Agard was only made aware of it on November 11 when she read it in a report (Checkpoint Report).
Agard noted that the cybersecurity breach was made possible because there was unauthorised access to an administrator’s laptop.
She said certain questions had to be asked: “When did TSTT know about the breach on October 3? Didn’t the internal TSTT administrator not realise that she had lost her credentials? That is a serious red flag in any IT organisation…And, finally, why was the CEO not told about this breach that occurred on October 3? Why did she have to see it in the Checkpoint interim report on November 10? Why did all the communications to the CEO about the breach indicate that it occurred on October 9?”
Agard said by the time she received the Checkpoint Report on November 11 she had “no opportunity to make any enquiry or investigation because by November 14, I was gone”, referring to her dismissal.
“So you ought to direct that question to TSTT because in every single report, whether prepared for the board of directors of TSTT, whether prepared, even for the National Security Council of Trinidad and Tobago, all public communications spoke to the event occurring on October 9,” she said.
Agard also disclosed that the administrator whose laptop was breached, and who has been identified, is still employed with the company.
SHe said the question also had to be asked whether acting CEO Western “intentionally and maliciously misled the committee when he said that it was the CEO’s office that misled the minister (Marvin Gonzales when he stated in Parliament on November 1 that there was no compromise of customers’ data). Stating that Western’s statements to the JSC at its last hearing in which he suggested that the office was responsible for any information that was presented to the Parliament by the minister were untrue, Agard said: “It is clear beyond any doubt that the CEO did not mislead the Honourable Minister and Mr Western’s statement to the contrary is a complete fabrication and deception for which he ought to be made to apologise publicly, particularly as he has all of the information in his possession”.
Agard said one had to ask why did she as CEO “have to literally beg the chairman and the board of TSTT to be allowed to communicate with the public” from November 6 when she was mandated to get prior approval of the chairman and the board before anything was allowed to be put out to the public. “The most important part of that was that a comprehensive communications plan was prepared to inform affected customers in which customers were segmented into different categories: ministers, parliamentarians, permanent secretaries, enterprise customers, and the general public. The board only approved communication to everyone except the general public claiming that it would strain the resources of the contact centre among other things. If, as TSTT now claims, it wishes to be transparent…and timely in its communication to customers, why was the communication plan to the general public not implemented?” she asked.
“Member Mark, had you been communicated with directly, you would have no concern about whether your credit card information was out there or that email communication was out there. You would have known exactly what of your personal identification information was part of the six gig of bytes that was exported. And so, therefore, it is disingenuous in my humble submission for TSTT through the chairman, the acting CEO, and the brand reputation unit that reports to the operations and admin department to communicate publicly that “we need to reshape the conversation with customers around transparency in communication…and…timeliness of the communication…If as TSTT now claims it wishes to be transparent and timely in its communication with customers, then why was the communication plan to the general public not implemented?” Agard stated.
Based on the information presented by Agard, Public Utilities Minister Marvin Gonzales misunderstood the information contained in the TSTT’s press release as well as its correspondence to its enterprise customers, on which he relied in presenting his misleading information to Parliament.
The minister’s misleading statement in the Parliament for which he had to apologise, was that the data of TSTT’s customers was not in any way compromised. Agard said while the minister indicated that at all times he based his response on information provided to him by the executive and or the board of TSTT, TSTT’s correspondence to its customers dated October 29, 2023 and TSTT’s press release of October 30 in which it said there was no loss or compromise of customers data, “specifically and very importantly qualified that statement” by explaining what it meant—that is, that no data was deleted from TSTT’s databases or no data was manipulated. “That to my knowledge remains the case today,” she said.
“The minister in making his statement on November 1 (to the Parliament) never qualified or clarified his statement (about the no compromise of customers data) as TSTT had done in its press release of October 30. So, as a consequence of which, I did not mislead the minister,” she said.
Agard said she only had one direct communication with the minister on the cybersecurity incident when the ministry asked her for a response to an urgent question. In the response that she sent directly to Gonzales via WhatsApp, as well as to several other people including the chairman, there was absolutely no mention whatsoever of TSTT’s data or any statement that the data of its customers was not in any way compromised.
“The minister quoted at length from a letter he purportedly had, which was circulated to a small number of enterprise customers and signed by Darrel Duke, the assistant general manager of business in TSTT. Given its limited circulation, it’s difficult to envisage how the minister came to be in possession of the letter on November 1. At the very least, I can communicate clearly to this committee that it never came from the office of the CEO because I never saw that letter until about November 10,” Agard said.
“But apart from that significant fact, there’s something in the letter which is critical. In communicating to TSTT’s enterprise customers that their data and information had not been compromised. TSTT was referring to customer data and information in the commercial cloud, which was not subject to any cyberattack. It was TSTT’s private virtual cloud that was subject to the cyberattack. And, unfortunately, in relying on that letter, somebody should have explained to the minister the difference between the commercial cloud and the private cloud. Apparently no one did,” Agard said.