Agard on fallout over TSTT hack – ‘I did not resign’

The content originally appeared on: Trinidad and Tobago Newsday

Former TSTT CEO Lisa Agard – File photo courtesy TSTT

FORMER TSTT CEO Lisa Agard has broken her silence on the fallout over the cyber attack against the company in October – which led to her parting ways with the state-owned company – saying point-blank on Monday: “I did not resign.”

The ransomware attack led to six gigabytes of customer data being stolen and posted on the dark web.

On November 15, TSTT announced that Agard had been replaced by Kent Western, but neither gave any reason for this management change nor said whether she had resigned or was fired.

Speaking for the first time since leaving the company, Agard was asked about the circumstances surrounding her exit.

Agard said she could not get into the details, as she was still talking with her attorneys. But she added, “I can assure you that I did not resign. In fact, I was not even given that opportunity!”

She also spoke of possible legal action for comments made during a meeting on Monday of Parliament’s Joint Select Committee on State Enterprises, which was called to examine TSTT’s handling of the ransomware attack.

During the meeting, committee member and Opposition Senator Wade Mark raised the issue of the failed motion to have Public Utilities Minister Marvin Gonzales referred to the Privileges Committee for misleading the House.

On November 1, Gonzales said there was no compromise of customers’ personal data during the cyber attack.

This proved false, and UNC MP for San Juan/Barataria Saddam Hosein subsequently moved the motion, which was later denied by Speaker Bridgid Annisette-George.

Gonzales nonetheless apologised to Parliament on Friday and said he made the statement in good faith and on the basis of information provided to him by TSTT.

At the JSC on Monday, Mark asked who was responsible for providing the information to the minister.

After TSTT acting CEO Western’s response, Mark sought clarification.

“Are you telling this committee, that as far as you are aware, that in this instance, what was read in the Parliament by the minister would have come from the office of the CEO, who is no longer employed in TSTT?”

Western then repeated his answer.

‘I NEVER MISLED ANYONE’

Contacted for comment after the JSC, Agard told Newsday she believes statements made at the JSC constituted an “egregious” defamation of her character.

“I can say categorically to you that I did not provide any misleading information or inaccurate information to the honourable minister,” Agard said.

Agard claimed the response for Gonzales was prepared by officials from TSTT’s corporate communications department ,which at the time was led by former CNC3 journalist Khamal Georges, and would have been approved by general manager of operations and administration Gerard Cooper.

Agard also claimed Gonzales did not read what had been prepared for him.

“I do recall that what the minister, in speaking to the Parliament on November 1, referenced a press release that TSTT would have issued on October 30. When the minister spoke he was obviously quoting from what was in the press release, but not defining what was meant by ‘no compromise of customers’ data’,” she said.

“TSTT said very clearly (in the press release) there was no loss or compromise of customer data, which it defined as meaning no data was deleted from TSTT’s databases or manipulated. That is a fact.”

She added, “At the time, that information was accurate. TSTT did not conclude its detailed examination of the six gigs of data until November 2 – the day after minister (Gonzales) spoke in Parliament – and then a detailed press release was issued on November 3.”

COMMUNICATING: TSTT’s acting CEO Kent Western, front row 2nd from right, makes a point before the joint select committee of Parliament which met on Monday to discuss the cyber attack on TSTT in October. – Photo courtesy Office of the Parliament

Agard said she is examining all legal options available to her.

“I am going to review this session of Parliament very carefully with my attorneys to ensure my reputation is vindicated.”

Western’s comment at the JSC meeting on Monday also prompted committee chairman, Independent Senator Anthony Vieira, to say Agard will be called before the committee, “out of fairness.”

“Obviously, this committee is determined to understand and to get to who misled the minister, and at large, the country. We want to find out that if it has been suggested that that came from the former CEO’s desk…I must tell you, out of fairness, we will have to call in the former CEO and interrogate her as well. But we want to get to the bottom of that,” Vieira said.

Agard told Newsday she is willing to appear before the JSC to provide any details it needs in order to discharge its public responsibilities.

“I really look forward to the opportunity to vindicate my position. As you know, I am an attorney…and my reputation I take quite seriously. Any attempts by TSTT…I will defend my reputation to the full extent available to me,” she said.

Asked if she felt she was being made a scapegoat in the fallout, Agard said that was up to the public to decide.

“I think that is a conclusion for your readers and people who consume your newspaper to come to. I think, as a matter of fact, that question should be more appropriately addressed to the board of directors of TSTT.

“I have never said anything publicly since this incident. I have not said a word. I think it is outrageous…to go and defame my reputation and character in the way that they have done.”

FOCUS ON REBUILDING TRUST

The JSC also looked at how the attack was able to happen and what shortcomings may have led to it.

Senior manager of information technology infrastructure Tanya Muller told the committee access to TSTT’s database is usually restricted, but the hackers were able to acquire an administrator password, which she described as a “golden password.”

“The protocol is that nobody can access TSTT’s environment directly. We have secure methods by which our vendors, our dealers, even our staff, if they are outside of the office, have to use to get onto our platforms. As a matter of fact, a lot of those dealer channel partners don’t have access to anything (on the) back end. They only have front-end access via this very secure method. So those are some of the things we have in place.”

Responding to concerns by Senator Mark, Mueller said the stolen data contained credit-card information but added that this affected a minority of customers.

“We do not store credit-card information on any of our systems. That is not a practice. You can pay via credit card, but it goes straight to the clearing house. It’s not stored on any of our opening platforms or any of the platforms that we use.”

“The few credit-card numbers that we did see came as a result of customer service representatives taking a picture of that information and scanning it as proof of payment. Unfortunately, they would have captured a couple of credit-card numbers and a couple of account numbers too, but it’s minimal.”

Mueller said TSTT has also discontinued that option, as it is not part of the organisation’s payment process and should not be done.

Western said no ransom was paid to the hackers.

“On the advice of our consultants and in keeping with industry guidance, we do not negotiate with terrorists or companies that position themselves in this role, as it further exposes the business.”

He told the committee the financial impact of the attack is “to be seen,” as the company did not see a decline in revenue as a result of the cyber threat.

He said focus has been on rebuilding customer trust and confidence, as that is where the company made its biggest loss.

“There are things that we’ve agreed are the principles of reshaping that conversation with customers around transparency in communication, something that we agreed needed to be done differently: the timeliness of that communication, collaborating with the right experts, ensuring that the cyber crime culture is a conversation that we start with customers as well as how this impacts the customers.

“Our approach is a multifaceted approach to ensuring that we rebuild this over time. And it is a programme that we’ve already started.”

He said any cost to the company will be reflected in changes to its capital and operational expenditure which may be altered based on changes to its cyber security plans.

TSTT chairman Sean Roach also apologised to customers, saying certain aspects of the company’s response should have been handled differently.

“We apologise for not communicating clearly with a timely manner to our stakeholders, including our line minister and our customers. We are committed to ensuring that the learnings from this experience are not lost.”

He said TSTT has since taken additional steps to “fortify” its cyber security measures.

“We have strengthened our internal systems, introduced additional protocols and are committed to the highest safeguards of our customers data against future incidents.”

Vieira agreed to Roach’s request to discuss several aspects of the attack and measures put in place to avert another attack in-camera (with no media presence).

Roach said, “Public discussions about our cyber security strategies could inadvertently aid potential threat actors or compromise our ongoing activities and securities that we now are presently putting together.”