Ex-TSTT CEO Agard reports to JSC: ‘I was told to stay quiet on cyber attack’

The content originally appeared on: Trinidad and Tobago Newsday

Lisa Agard, TSTT’s former CEO reported to a Parliament committee on February 19, 2024 that the company’s board ordered her to keep silent on a cyber attack in October 2023. –

TSTT’s former CEO Lisa Agard said she was told to keep silent on a cyber attack on the company in 2023, speaking at Parliament’s Joint Select Committee (JSC) on State Enterprises chaired by Anthony Vieira, on February 19. She said the TSTT board had prevented her from communicating with the public on the matter without their prior approval.

Agard said TSTT’s Networks and IT Department had not told her of the October 3 cyber attack, but she had only learnt of it on November 11 via a report by TSTT’s cyber-security consultant, Checkpoint. She denied ever misleading Minister of Public Utilities Marvin Gonzales, although saying his statement to Parliament had otherwise contained inadvertent inaccuracies.

Agard began by saying the breach had taken place after a TSTT administrator had lost her credentials without realising it, and then been locked out by someone using her information to create multiple domain accounts. She said during the breach, no data was deleted from TSTT’s databases nor manipulated.

“Let me say at the outset, TSTT communicated what it knew, when it became aware of it, guided at all times by the Networks and IT (Department) and issued statements prepared by the Brand Reputation PR Department.

“When you look at the details of my submissions, you have to ask yourself why did the CEO (Agard) have to literally beg the chairman and board of TSTT to be allowed to communicate with the public after November 6, since by that date I was mandated to get prior approval of the chairman and the board before anything was allowed to be said publicly?”

She said a communication plan was prepared for various clients such as ministers, permanent secretaries and the general public. The board approved all plans but for the general public and ultimately none were ever used.

Agard said it had been disingenuous for TSTT through its chairman, board and brand reputation unit to tell the public that TSTT needed to reshape its communication around transparency.

“If, as TSTT now claims, it wishes to be transparent and timely in its communication with customers, then why was the communication plan to the general public not implemented?”

Later, in reply to JSC member Wade Mark, she said she felt pressured by the board to provide them with details of 33 people whose bank-account or credit-card details had been hacked.

“I felt if I did not cooperate and provide the information, my own position as CEO would be in jeopardy.”

Committee member Rudranath Indarsingh asked about the curtailing of reporting to the public.

She replied that she assumed it was a decision endorsed by the board, as it had come just after the board’s November 6 meeting.

Agard said after Gonzales’ statement in Parliament on November 1, she had drafted a statement to explain what he had said but that the board had refused to approve its public release.

She said she had never misled Gonzales, recalling her input into his statement to Parliament. “In the response that I sent to the minister directly via WhatsApp and to several other people including the chairman of TSTT, there is absolutely no mention whatsoever of TSTT’s data and the data of its customers not in any way being compromised.”

She said the TSTT press release of October 30 crucially qualified his statement.

“TSTT said no loss or compromise of customer data means that no customer’s data was deleted from TSTT’s databases or manipulated.”

Agard said Gonzales had not qualified his November 1 statement. “So, as a consequence of which, chairman and members, I did not mislead the minister.”

She said the minister had cited a letter from TSTT assistant GM for business Daryl Duke to TSTT’s enterprise (business) customers that she herself had not seen until November 10.

Agard said, “In communicating to TSTT’s enterprise customers that their data had not been compromised, TSTT was referring to customer data and information in the commercial cloud which was not subject to any cyber attack. It was TSTT’s private virtual cloud that was subject to the cyber attack. Unfortunately, in relying on that letter, somebody should have explained to the minister the difference between the commercial cloud and the private cloud.”

Agard said on November 14, she had asked to meet the TSTT chairman, but instead was given a termination letter with no reason given. She said basic industrial-relations practice suggested TSTT should have had a conversation with her, especially after a turnaround under her leading to its first profit in seven years, plus an S&P upgrade.

She recalled during the saga being unfairly admonished for a supposed inability to communicate with the public and for seemingly having “embarrassed the minister.”

Agard said upon learning of the cyber breach, she had been the person literally screaming every day to remedy it and she had pushed to find details of the six-gigabyte leak.

She said she was the one who had assisted in preparing a letter of apology from TSTT to its customers.

Agard said it was well known at TSTT that she was daily at work from 6 am-8 pm/9 pm. “There is no question of a lack of action.”

In her closing remark, she urged the JSC to consider a pressing need to update TT’s cyber legislation, saying the Computer Misuse Act must be updated by the Data Protection Act.