The Barbados Revenue Authority (BRA) is working with police to investigate a breach of its vehicle registration system, amid growing concerns over the security and privacy of stakeholders’ data.
Sensitive information from the system is reportedly circulating online, with a website claiming that vehicle registration records – along with tax records and other sensitive information – were being offered for sale.
In a statement issued on Tuesday afternoon amid reports that the BRA had been hacked, spokeswoman Carolyn Williams-Gayle said: “The Barbados Revenue Authority is aware that there is some vehicle registration application information circulating on the Internet and social media, and we are actively investigating the incident.
“The security and privacy of our stakeholders is of the utmost importance to us. The confidence and trust that individuals and businesses have in the Authority are the cornerstones of our systems, so we’re currently working with our partners and law enforcement to conduct a thorough investigation to determine the nature and scope of the reported incident.”
The breach has been linked to the online listing of 230 gigabytes of data on a Russian-language forum. According to a report from DataBreaches.net, the threat actor, identified as “Pryx”, claims to have accessed the BRA’s administrative portal and inserted malicious code, though it was reportedly not used.
The files being sold allegedly contain driver’s licences, passport and national ID numbers, phone numbers, and email addresses, with one document linked to a South Carolina driver’s licence, suggesting that the breach extended beyond Barbados.
“Pryx” reportedly made a ransom demand for the deletion of the data but has not received a response from the government.
According to DataBreaches.net, Pryx claimed that even if the government changed passwords, they might still be able to regain access if the authorities did not figure out how they were able to gain access in the first place.
Williams-Gayle said the BRA had notified Data Commissioner Lisa Greaves of the reported breach and gave an assurance the agency was committed to transparency.
Barbados TODAY reached out to Greaves but was told she is away until later this week.
The data breach also prompted swift action from the Ministry of Industry, Innovation, Science and Technology, which has launched its own investigation and deployed countermeasures to safeguard the systems. Minister Marsha Caddle sought to reassure the public that the breach appeared to be contained.
She said: “The Ministry of Industry, Innovation, Science, and Technology has become aware of a reported breach of data at the Barbados Revenue Authority. So far, from our investigations and from theirs, we can report that we have no reason to believe at this time that such a breach goes beyond the Barbados Revenue Authority, and, further to that, we believe that it is so far isolated to the vehicle registration application.”
Caddle added that an incident response team was activated to support the revenue agency in securing the system and preventing further risks.
“We have mobilised an incident response team, and we have also worked with the Barbados Revenue Authority to deploy further countermeasures to secure the environment in which they are currently working,” she explained.
The minister said more details would be made available soon. “We will be able to say more based on our joint investigations over the next 24 to 48 hours, and we’ve also engaged the Data Commissioner to ensure that we continue to comply with the regulations in that regard,” Caddle said.
The BRA is urging the public to be vigilant in monitoring their personal accounts for any unusual activity.
“The authority advises the public to remain vigilant and monitor their personal account activity and be on the alert for any unusual activity or requests seeming to come from the Barbados Revenue Authority. If persons do recognise any such activity, they should report such instances to our data privacy officer,” Williams-Gayle advised.
The incident is the latest case of cyberattacks targeting government agencies. In December 2022, the Queen Elizabeth Hospital suffered a cyber attack that impacted some of its services. (RG)
