No evidence yet of personal data breach — Premier
An investigation into last week’s cyberattack on government computer systems has failed to unearth any evidence that personal information was accessed by third parties.
At a press conference, David Burt reassured residents that any data held on government files did not appear to be compromised.
Acknowledging that there was “a significant amount of data on our systems”, the Premier said: “We are going through the forensic process so that we can identify what if anything was exfiltrated.
“At this point in time, as of the report that I had at 9am this morning with a briefing from our international team, they have not been able to uncover any forensic evidence of exfiltration at this time.
“That does not mean that they may not be discovered but they’re going through the process of careful and significant forensic investigation so that we can identify what has happened.”
Mr Burt added that, if any evidence of a breach is detected, affected people will be notified immediately.
Under personal information protection laws, organisations in possession of private data on individuals must contact the Privacy Commission if they have been the victim of a cyberattack. They must then notify any individual who may be affected by the breach.
However, those rules do not come into effect until January 2025.
Mr Burt said: “We will act in the best interests of our citizens and it will be responsible for the Government of Bermuda to make sure that we notify persons if their data has been compromised.
“If there is a data breach that is confirmed we will of course contact affected persons and organisations with information and guidance on protective measures, and for all persons, whether or not this happened or not we recommend vigilance against phishing attempts and encourage regular password updates.”
Earlier, a government spokeswoman emphasised that the public will be provided with “accurate and timely information once we have a clear understanding of the data that may have been accessed”.
She said: “We have protocols in place to notify affected individuals in the event of a confirmed data breach. If it is confirmed that personal information has been compromised, we will promptly reach out to those affected with guidance and support.”
The spokeswoman added that the Government was “in compliance with all legal and regulatory requirements regarding data breaches”.
She added: “We will engage with the Privacy Commissioner and other relevant international authorities as appropriate, to ensure that all necessary notifications and actions are taken.
“In the event of any data compromise, we advise individuals to remain vigilant for any suspicious activities, monitor their accounts, and report any anomalies to the relevant authorities.
“We will provide specific guidance and support to affected individuals if there is a confirmed breach, including recommending steps such as changing passwords, enabling two-factor authentication, and monitoring credit reports.
“Our priority is to support and protect residents in addressing any potential impact.”
One cybersecurity expert said that confirming whether or not personal data had been stolen by hackers was a time-consuming process, and that eight days or more — the latest cyberattack took place on September 20 — was “not outside of the norm”.
The expert, who did not wish to be named, said: “It may take quite a while to determine if any data was exfiltrated, as there are many ways to exfiltrate data.
“There is no set period for these investigations, and they can take some time to complete thoroughly.
“The attackers could have obtained access for months undetected and slowly exported the data. Without the proper monitoring systems in place, this can be difficult to determine.”
Alexander White, the Privacy Commissioner, said there were several reasons why organisations that hold information on private citizens should notify those individuals if there has been a security breach.
Mr White said: “Data-breach notification requirements, such as those found in the Personal Information Protection Act, are intended to warn individuals about potential adverse effects so they may take steps to protect themselves.
“This messaging is also an opportunity for the organisation to communicate to their customer or client the measures that they are taking to address the issue and mitigate potential adverse effects.
“It is important to note that not every incident requires a data breach notification under Pipa, only incidents in which a loss, disclosure or accessing of personal information is likely to adversely affect an individual.
“The exact nature of the notification, such as the timing or the details that are shared, should be without undue delay and in any case appropriate to the risk of harm.”
The Privacy Commission has published guidance and considerations about data breach notifications here.