Harper urges urgent action as BRA breach exposes personal info

harging that the Barbados Revenue Authority (BRA) might have suffered the most extensive data leak to date, cybersecurity expert Niel Harper warned that a massive amount of sensitive information has been exposed and blasted the government’s response as inadequate.

Harper is charging that the breach is far more serious than what has been disclosed by officials, accusing them of downplaying the scale of the incident.

“This is a massive data breach, quite possibly the largest in the history of the country,” Harper charged in a statement on Wednesday, a day after news surfaced of the theft of data by malicious threat actors, identified as “Pryx”, who listed it for sale.

The compromised data is said to include a wide range of personal and corporate information such as national and foreign passports, ID cards, driving licences, financial transactions, vehicle registrations, company incorporation documents, customs documentation, licence payment invoices, and medical certificates.

Harper, managing director and digital trust practice leader at Octave Cyber Security Group, said he sent correspondence on the issue to Attorney General Dale Marshall and Minister of Industry, Innovation, Science and Technology Marsha Caddle advising on what needed to be done as a matter of urgency to mitigate further harm to affected individuals. He said he had also reached out to Prime Minister Mia Mottley but had yet to receive a reply from any of the three officials.

In her statement issued on Tuesday, Caddle said that, based on her ministry’s investigations and those of the BRA, there was no evidence to suggest that the breach extended beyond vehicle registration data. She added that an incident response team had been mobilised, and additional countermeasures were being implemented to secure affected systems.

As reports poured in Tuesday that sensitive information from the nation’s tax collector was reportedly circulating on social media and the wider internet, raising alarm, BRA communications and public relations manager Carolyn Williams-Gayle said the compromised data appeared to be restricted to vehicle registration application information. “We are actively investigating the incident,” she said. “The confidence and trust that individuals and businesses have in the Authority are the cornerstones of our systems, so we’re currently working with our partners and law enforcement to conduct a thorough investigation to determine the nature and scope of the reported incident.”

But Harper suggested that the breach extended far beyond what had been officially reported by local authorities. He also expressed concern over the government’s slow response.

In a list of recommendations to Marshall and Caddle, the cybersecurity professional advised that authorities should notify all individuals whose data has been compromised and explain the severity of the breach to them as required under the Data Protection Act.

He added that the government should also provide guidance to residents on how to protect themselves from risks such as identity theft, fraud, and bank account compromise.

Harper also urged the government to say what measures it would take to prevent similar incidents in the future.

“It was important to show accountability and explain to the data subjects what the government plans to do to prevent these types of breaches from happening again,” he stressed.

The data privacy expert also called on authorities to notify international supervisory bodies, such as those in the European Union (EU), United Kingdom, and Canada – given that the data of foreign nationals may have been compromised – as required under international law.

Harper warned that not following these steps would place the government in breach of international data protection regulations.

“Failing to do so would mean the government is in violation of several international data protection laws, as well as the Barbados Data Protection Act,” he declared. “The laws generally require that data subjects and supervisory authorities are to be notified of a material breach in 72 hours.”

Harper said he has been assisting “in the background”, advising the parties involved with responding to the breach “what are the best technical actions to take to reduce the associated risks”.

Reflecting on his long-standing advocacy for stronger data privacy and cybersecurity measures in Barbados, Harper noted the challenges he has faced over the years, citing a lack of support from successive governments.

“Despite being subjected to constant ridicule and disrespect from the government (both DLP and BLP administrations) when it comes to matters of digital transformation, cybersecurity, and data privacy, I continue to be steadfastly committed to protecting Bajans from online harms,” declared Harper who currently serves on the Independent Management Advisory Committee of the International Telecommunication Union, the Professional Standards Working Group of the UK Cyber Security Council, and as an Independent Director & Vice-Chair, Board of Directors at the Information Systems Audit and Control Association.

Harper was recently named among the recipients of this year’s  International Information System Security Certification Consortium (ISC2) Global Achievement Awards. He was given the Senior Professional Award – EMEA (Europe, Middle East, and Africa) Region which recognises an individual regionally who has significantly contributed to the enhancement of the cybersecurity workforce by demonstrating a leadership role in their profession.