Hackers who brought down government IT systems may have obtained private data about Bermuda’s citizens and could threaten to publish it if a multimillion-dollar ransom is not paid, according to a cybersecurity expert.

Rick Mello, chief information security officer at Sentinel Cybersecurity, told The Royal Gazette: “I don’t have confirmation it’s a ransomware attack, but the signs are pointing towards a ransomware attack.”

He said groups which carried out such attacks were "looking for people that can pay a ransom“.

“What they do is known as encryption,” Mr Mello explained. “Just think of it as them locking your system with a key and then they have that key. Without the key, there is no access to that system.”

Last week’s cyberattack on Bermuda has caused massive disruption to government services, with David Burt, the Premier, initially stating it had affected “some other regional governments as well” and that the perpetrator was "most likely from Russia“.

Mr Burt would not confirm at a press conference yesterday if it was a ransomware attack or if personal data had been breached, saying only: “Our focus is making sure we get government systems up and running safely.”

Mr Mello, speaking generally about ransomware attacks, told the Gazette that hackers would issue ransom notes in the form of a text file left on the hacked system, giving instructions to the victim on how to get their system unlocked in exchange for millions of dollars.

He said: “Sometimes they will steal the data. If you say you won’t pay the ransom, they’ll blackmail you and say ‘we’ll release all of your data if you don’t pay the ransom’.

“It’s a big business, hundreds of millions of dollars a year.”

He said of the attack on Bermuda: “It may just be that they have locked the systems up, they may not have got any data.”

Mr Mello suggested there would “definitely” be concern among the public about the potential for personal and private information held by the Government to be released.

“The Government is probably the largest collector of data of everybody in Bermuda,” he said.

“When you think about the amount of personal data they have on people living in Bermuda, I’m sure it’s a vast amount.

“If they [the hackers] were able to remove the data and have a copy of that, using that as blackmail, they could release all our personal information to the public. That’s definitely something they could try and do.

“But there’s no telling if they were able to remove the data or not. It will take a thorough investigation.”

Mr Mello said organisations often had no choice but to pay ransoms to get access to their own systems and protect stolen data.

“I don’t want to speculate too much but when you are faced with you can’t restore the systems, you ask can we survive without the data and all of our historical data.”

He said he would need more inside knowledge to comment on whether the Government was likely to pay a ransom, adding: “I’m sure it’s probably an option that’s being considered.”

Mr Mello said the attack raised serious questions about whether there were “control deficiencies” within the Government’s system.

“[The hackers] wouldn’t have been successful if they had the controls there to protect against ransomware.

“There definitely needs to be some investment in cybersecurity for government operations. I’m sure they will look at this now.”

Fernando de Deus, the chief executive of Ingine, a technical solutions company that offers IT security services, said hackers carrying out ransomware attacks did it for financial gain.

“It’s a service, so now it is really, I would say, a multibillion-dollar revenue income for these groups, because there are various groups out there and it’s really for capital gains, nothing else.”

He added: “If you get hit with ransomware … if you want your data back you’re going to have to pay for it.

“They’re going to hold it until you pay them. They say, ‘hey, if your company makes $500 million a year, I want a per cent of that to get your data back’.

“It’s not just one group, there are different groups out there, so now it’s a very organised system and it’s a moneymaking machine, unfortunately.”

The island’s Privacy Commissioner, Alexander White, said yesterday: “We do not have any comment on the circumstances with Government, except to say that our staff meet regularly with government personnel to discuss best practices and ways we can support one another, but we are not directly involved in operational matters.

“Substantive provisions of Pipa [the Personal Information Protection Act], such as those relating to security safeguards and data breach notification, have been announced to come into effect on January 1, 2025.

“We do not require or expect organisations to notify our office of data breaches before that time.”