Log In

Reset Password

MPs urged to ‘follow the money’ to identify cyberattackers

Lawrence Scott, the chairman of the cybersecurity committee (Photograph supplied)

It is unlikely that the criminals responsible for the September 2023 cyberattack will be caught but if the Public Accounts Committee continues investigations into the incident, there may be a chance, the chairman of the cyberattack committee has said.

Lawrence Scott, the Progressive Labour Party MP, spoke exclusively to The Royal Gazette about the report of the joint select committee on the September 2023 cyberattack, which was tabled in the House of Assembly this morning.

He also revealed that the hackers were probably able to access the system when a government employee used their work laptop for personal use.

The report suggested that up to $4.4 million was paid out by the Government to the perpetrators of the attack to avoid costs that could have spiralled in excess of $100 million to retrieve seized back-ups for targeted IT systems.

Mr Scott said it was unclear who authorised the payment, what the payment covered or to whom the payment was paid, saying such details were beyond the expertise of the committee.

However, he said the PAC, which is chaired by Douglas De Couto, the Shadow Minister of Finance, had been invited to continue investigations through a formal recommendation within the report to “follow the money”.

Mr Scott told the Gazette: “From my understanding, it’s hard, even for places like the UK and US — G8 countries — and Australia, to identify exactly who hacked them.

“But this is where parliamentary committees are very good; we are like a baton race.

“We have done our job and say we don’t have the expertise for this; PAC can try to find out.

“What is allocated in the Budget Book does not always get paid. We don’t have the ability to see that.

“The Government told us it was paid out for overseas experts. The committee believes that those overseas experts may have been the actors. All indicators suggest that the $4.4 million was a ransom.”

Mr Scott said that regardless of whether the attackers are eventually tracked down, the Government’s cybersecurity risk had been reduced from its pre-incident “critical” status with more efficient interventions coming on board

However, he added: “Is the risk zero? No, I don’t think it’s ever zero.”

A major concern within the report was the lack of timely and official communication with essential service stakeholders such as Belco and the Bermuda Hospitals Board. Mr Scott said the report showed that important information was often shared through informal back channels and professional courtesy instead of an established incident-communication process.

Mr Scott said: “This limited the ability of stakeholders with more mature cybersecurity systems to assist Government or take informed protective action.”

A recommendation within the report is to form a council including the stakeholders and Cabinet-level observers while improving communication and public education.

Increased cybersecurity funding was also a recommendation. Mr Scott, independent of the report, said he believed that an estimated $6 million should be put up front for IT to account for past funding shortfalls and approximately $1 million should be allocated annually thereafter.

Mr Scott revealed that the cyberattack occurred because a government employee used their work laptop for personal use. Activity was identified as being similar to online shopping.

He added: “Around the same time, you had police and government saying beware of phishing and people impersonating government ministers online.”

While personal data was compromised in the attack according to “verified” sources, Mr Scott said the committee did not have any evidence suggesting that health or financial records were included.

“It seems as though they were more focused on government departments and government identities with the sole motivation of getting money.”

Public cybersecurity

The cyberattack joint select committee said not every incident will require the same level of public warning.

However, it said where there is credible risk of personal data misuse, the Government should not merely state that systems are being restored. It should tell the public what practical steps they should take to protect themselves.

The checklist should include clear instructions such as:

• Change passwords for government-facing accounts where applicable

• Change passwords for any private accounts where the same password may have been reused

• Enable multi-factor authentication wherever possible

• Monitor banking, e-mail and online accounts for suspicious activity

• Verify government messages through official channels

• Do not click suspicious links or payment requests

• Report impersonation attempts, phishing messages and suspicious calls

• Preserve suspicious messages as evidence where appropriate

• Follow updates from designated official communication channels

Mr Scott said the attack carried all the hallmarks of the Russian hacking group ALPHV/BlackCat, including the seizure of IT back-up systems and a ransom demand for retrieval.

ALPHV/BlackCat was responsible for a cyberattack on MGM Resorts International ten days before the breach of Bermuda’s systems. The JSC report revealed that the firm had to pay $100 million for its back-ups.

Mr Scott wanted to make it clear that the report was not about political point-scoring but institutional learning, accountability and national resilience.

“This didn’t start on September 2023, this actually goes back ten years under different administrations.

“The real value of the report will not be measured by the headlines but by whether the recommendations are implemented, tested and sustained.”

Mr Scott said he was proud of the work carried out by the committee, adding: “It is fair; it is not glowing of the Government because it shows the deficiencies. We wanted to make sure that the average Bermudian knows that we did what we could as best as we could.”

Royal Gazette has implemented platform upgrades, requiring users to utilize their Royal Gazette Account Login to comment on Disqus for enhanced security. To create an account, click here.

You must be Registered or to post comment or to vote.

Published July 17, 2026 at 5:00 pm (Updated July 17, 2026 at 5:29 pm)

MPs urged to ‘follow the money’ to identify cyberattackers

Users agree to adhere to our Online User Conduct for commenting and user who violate the Terms of Service will be banned.