Amid calls for authorities to come clean on the full extent of this week’s Barbados Revenue Authority (BRA) data breach, Minister of Industry, Innovation, Science and Technology Marsha Caddle says the teams investigating the incident must be given time to do their work.
She has also insisted that the government has so far done what is required by law, as far as what it has shared with the public is concerned, and is in the process of strengthening critical government data and systems.
The BRA on Tuesday reported what had so far appeared to be a leak of vehicle registration information, while the hackers offering the 230 gigabytes of data said it included national and foreign passports, ID cards, driving licences, financial transactions, vehicle registrations, company incorporation documents, customs documentation, licence payment invoices, and medical certificates.
In a video released to the media on Thursday, in which she appeared with Minister of State in the Ministry of Finance Ryan Straughn, Caddle said forensic and other experts on the incident response team that was created after the breach was discovered are still carrying out their investigations.
“As with all similar data breaches, this is a national security matter, and just like the police cordoning off a crime scene so they can contain it and do the investigations, we have a duty to do the same and to give the cyber response team time to do their work,” she said.
“As we’ve done from the start, and have committed to continuing, we are following the steps under the data protection legislation. Once we have further information that we can share, we will do so.”
The statement came a day after cybersecurity expert Niel Harper criticised the government’s handling of the matter and warned that a massive amount of sensitive information had been exposed. He said the breach was “quite possibly the largest in the history of the country”.
Harper, who said he had written to Caddle, Attorney General Dale Marshall and Prime Minister Mia Mottley with recommendations on how to deal with the situation, urged the government to say what measures it would take to prevent similar incidents in the future. He said among the advice was that authorities should notify all individuals whose data has been compromised and explain the severity of the breach to them as required under the Data Protection Act.
Caddle said that her ministry, as the regulatory agency in this matter, has been in touch with the Office of the Data Commissioner, has informed the public as required by law, and is fully complying with all requirements under the data protection legislation.
She made reference to data breaches of much larger agencies and corporations in the United States and the United Kingdom.
“We continue to strengthen security, particularly of critical government data and systems,” Caddle said.
“As we do so, we realise that in the public and private sphere, cyber is the new and increasing line of attack against which we will have to defend. The IRS in the US learned that this year, when they had their own data breach, as did the BBC in the UK, and Amazon. Our duty and commitment are to do everything we can to secure data and systems in advance and where we may need to respond to threats, to have a rapid, sure and reliable system so to do.”
Harper, a data privacy expert, also called on authorities to notify international supervisory bodies – as required under international law – such as those in the EU, UK and Canada since the data of foreign nationals may have been compromised in the breach. (BT)