A committee investigating the September 2023 government cyberattack has probed whether a ransom was paid to hackers, but its chairman is staying tight-lipped for now on any findings.

Lawrence Scott told The Royal Gazette on Thursday: “It would be too premature for me to mention anything in any type of specifics along those lines, but we have looked at every aspect and that’s one aspect that the committee has looked at.”

Mr Scott gave an update on the work of the joint select committee, whose goal, he said, was to submit its final report to the Speaker of the House of Assembly before the summer break.

“We know what happened, when it happened and how it happened, and we are just in the midst of getting the last submissions before putting the report together,” he added.

“We are aiming to be able to put this before Parliament sometime on the other side of the [February 20] Budget. We can’t say exactly when.”

The five-member cross-party committee was initially appointed in October 2024, more than a year after the devastating attack that crippled government services.

The committee had to be dissolved, along with the rest of the legislature, when a General Election was called last February, but it was reinstated in May with the same members: Mr Scott as chairman; fellow Progressive Labour Party representatives Scott Simmons and Anthony Richardson; One Bermuda Alliance leader Robert King; and Dwayne Robinson, an opposition MP.

The JSC has not held any public hearings ― which Mr Scott said was because of the nature of the subject matter under investigation ― but has interviewed many witnesses, including from institutions across the island.

“We have reached out to all the relevant stakeholders,” he said, mentioning Belco, local banks, international businesses and the hospital.

“It’s similar to a police investigation. We’d ask for witnesses and people in the know to provide evidence.

“We have spoken to former ministers, current ministers; we have spoken to civil servants. It’s a lot. I couldn’t put a definitive number on it.”

Mr Scott, a backbencher, added: “We still have a few interviews scheduled to do. The bulk of it is done.

“There are one or two key aspects that the committee wants to do a deeper dive into.

“From there, we will be able to put everything together. We’ll still be fielding submissions into April, and then probably from May, moving forward, we will be compiling all the information and going from there.”

Mr Scott said the purpose of the group’s inquiry was “not to name and shame”.

He said: “This joint select committee’s focus is on understanding what has happened and putting forward recommendations to the Government on how we can stop this happening again.

“We now have been able to bring in technical consultants, people who specialise in IT. They are able to say, ‘This is what you should do, could do’.”

He said that talking to local entities, with their own “very robust” programmes for preventing cybercrime, had been vital and “given us something to shoot for and also the ability to understand what’s possible locally”.

“They too could be affected but also have their own processes and procedures that we could learn from,” he said.

“What I have learnt is that there is nobody who can guarantee that nothing will be hacked in future, but what we can do is significantly reduce or mitigate the risk, and that is our goal.

“We have got to mitigate the risk as close to zero as we possibly can.”

He said the committee’s report would explain exactly how the cyberattack happened.

“Once Parliament sees how it happens, then the recommendations make sense.”

He praised committee members for leaving politics at the door, working as a team and focusing on the task, but noted: “I can’t speak to what the parliamentary debate will look like.”

Mr Scott said the committee had conducted its work, for maximum confidentiality, the “old-school way”.

He added: “There’s nothing on computers. Everything is submitted in writing, by hand. Nothing is stored electronically.”

The report of the JSC will not be the first on the September 2023 incident. An external report on the cyberattack was delivered to the Cabinet Office two months after it happened but has remained under wraps.

The Cabinet Office was ordered by the Information Commissioner to respond to a records request from The Royal Gazette for that report last February.

Major Marc Telemaque, the Cabinet Secretary, wrote to the newspaper the following month stating that the report was exempt from release for national security and law enforcement reasons, as well as parliamentary privilege and it being a Cabinet document. That decision is under review by the Information Commissioner.

• To read Major Telemaque’s decision on the external report, see Related Media

Download PDF File

Cyberattack report Pati Decision 05_2025.pdf