Massy rocked by one of the Caribbean’s largest ever data breach dumps

12 June 2024

Regional conglomerate Massy Group has launched an investigation into a major alleged data breach at the company.

Reports are that the Hive Ransomware group has leaked online some 87,550 folders and 704,047 corporate files, allegedly belonging to Massy Stores Trinidad and Tobago.

The hackers released staff salaries, photos, personal details, copies of customers’ passports as well as internal audit documents and other financial information allegedly from the company.

Describing the development as “the largest Caribbean data breach dump to date,” the Trinidad and Tobago Guardian Newspaper reported that the documents were verified by a cyber-security expert as originating from Massy.

The leak is believed to be connected to a cyber-security attack on Massy Stores Trinidad and Tobago in April 2022 which saw the company suspend some electronic services.

“Normally they would release it much sooner, usually within two weeks, but I think because of the kind of information they got it took them a while because the hacker group… went through the data received to see what they could benefit from before releasing it to the public,” said the Guardian’s cyber-security expert.

“The company took immediate action, suspending all customer-facing systems, and has been working with third party experts to resolve the situation. Backup servers were not affected, and the technical team is actively working with the expert teams to restore the system safely and in the shortest time possible,” read a Massy release at the time.

“The company is not aware of any evidence at this time that any customer, supplier or employee data has been compromised or misused as a result of the situation,” said the statement, despite claims by the Hive Group that they ran encryption on data during the attack.

In a more recent statement, Massy Stores acknowledged that more data was unlawfully accessed during the April attack than initially believed.

“Through continued investigation of the cyber-security incident, we are now aware that data unlawfully accessed by the attackers was more extensive than the preliminary stages of the investigation indicated,” said the release, adding that all potentially impacted parties were notified, given the information available at the time.

The company also challenged news reports and other information being circulated in the public domain about the cyber-attack and leak as being speculative and inaccurate.

Massy’s operation in Jamaica has also been the target of a recent cyber-attack in the second week of October 2022. “The specifics of what occurred are still under investigation by our technical experts,” said a statement by Massy Distribution Jamaica, confirming the ransomware attack.

“We remain confident that our ongoing cyber-security risk mitigation efforts have been effective to date in enabling the timely identification of and responding to this incident,” said the company, which is one of Jamaica’s largest suppliers of consumer and pharmaceutical goods.

Days later, the Jamaica Gleaner reported that approximately 17 gigabytes of data were leaked on the internet, including “personal information such as the names, addresses, taxpayer registration numbers, signatures, videos and pictures of Massy Jamaica employees and contractors”.

The Gleaner said that employee salaries, banking information of suppliers and information about the company’s business model were also dumped online.

Some legal commentators have raised questions about the risk of fraud and identity theft and argued that Massy may face lawsuits under the country’s Data protection Act which speaks to the obligations of holders of personal data to safeguard its confidentiality, integrity and availability.

Meanwhile, tech journalist, Mark Lyndersay argued in the Trinidad and Tobago Newsday that the strategy of some regional companies to attempt to keep cyber-attacks secret from the public is archaic and should be the target of updated legislation across the region.

“Until the laws regarding privacy, personally identifiable information, cyber-crime and corporate responsibility for these issues are proclaimed, companies and the public sector are under no obligation to even report breaches, far less notify affected citizens,” said Lyndersay of Massy Group’s seeming reluctance to provide full transparency on the data breach.

 

This is a lead article from Caribbean Insight, our sister publication from The Caribbean Council.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Panama prepares to evacuate first island in face of rising sea levels

The Gunas of Gardi Sugdub are the first of 63 communities along Panama’s Caribbean and Pacific coasts that government officials and scientists expect to be forced to relocate by rising sea levels in the coming decades. An official from Panama’s Housing Ministry said,...

Kenyan police will deploy to Haiti within weeks

Kenyan police will deploy to Haiti within weeks to lead a UN-backed multinational mission aimed at tackling gang violence, a senior government official in the East African country said on the 19 of May.  "That deployment will happen in the next few days, few weeks,"...

Imposing Sanctions on Corrupt Actors in Guyana

The United States is imposing sanctions today on Nazar Mohamed, his son, Azruddin Mohamed, their company, Mohamed’s Enterprise, and Mae Thomas, the former Permanent Secretary to Guyana’s Minister of Home Affairs and current Permanent Secretary to the Ministry of...

Small island nations get big climate victory in International Maritime Court

Nine island nations in the Pacific, Caribbean, and West Indies won a major international legal victory, putting more pressure on large governments like the European Union and China to curb their carbon emissions.   The small island states celebrated a landmark victory...

Bank of Guyana injects US$80M in Commercial Banks to stem foreign currency shortage

Amid a shortage of foreign currency in the country, the Bank of Guyana has been forced to inject more than US$80M into the foreign currency market, on instructions of the Government. At a press conference on Thursday, Vice President, Bharrat Jagdeo said he met with...

Haiti News – CPT opens applications for interim Prime Minister

CPT opens applications for interim Prime Minister. Haiti has commenced the search for a new Prime Minister, a pivotal step outlined in the April agreement to establish the Presidential Transitional Council (CPT). This move reflects Haiti's broader mission to address...

New Sint Maarten Prime Minister sworn in

Luc Mercelina has been sworn in as Prime Minister and Minister of General Affairs of Sint Maarten, succeeding former PM Silveria Jacobs after the 2024 Parliamentary election. The swearing-in ceremony, conducted by Governor Ajamu G Baly on 3 May, signifies a peaceful...

Haiti News – Haiti’s Transition Council advances its security mission

   Plans for foreign security deployment are advancing following the installation of Haiti’s transitional council after the official resignation of former Prime Minister Ariel Henry’s controversial government.  “We have served the nation during difficult times,”...

Haiti News – Central Bank authorises loan repayment moratoria

 Central Bank authorises loan repayment moratoria. Amid Haiti's ongoing challenges, the Bank of the Republic of Haiti (BRH) has issued Circular 115-5, granting financial institutions authorisation to provide a moratorium from 1 April to 30 September 2024. Under the...

EU support Trinidad-Venezuela pipeline amid US sanctions

The European Union (EU) has signalled its willingness to support the Dragon Pipeline between Venezuela and Trinidad and Tobago despite reimposition of US sanctions on Venezuela.  The 90-kilometre pipeline project between the two countries has been in the news in...
Click to access the login or register cheese