JSC: $4.4m cyberattack spend may have included ransom payout
A payment of $4.4 million out of Bermuda’s coffers may have covered ransom to perpetrators of the cyberattack that crippled government IT systems in 2023, an official report tabled today in Parliament revealed.
The long-awaited document from the joint select committee on the September 2023 incident sheds light on events leading up to the attack, including an assessment that warned four months earlier that the island’s cybersecurity risk was “critical”.
The four-member committee left no doubt that the payment was made but recommended an investigation by the Public Accounts Committee to look into who was paid, for what purpose and value, and with whose approval.
Figures in the 2023-24 Budget showed an allocation of $3.09 million for the cyber incident from the Ministry of Finance Headquarters and approximately $1.32 million from Information and Digital Technologies, for a combined total of about $4.41 million.
Since the attack, the Government has remained tight-lipped about whether a ransom was ever paid.
The report said: “The committee does not state, on the basis of the line items alone, that the full amount was paid as ransom.
“However, the scale, timing and description of those line items require full explanation.”
The 42-page report reveals that the attacker, or “threat actor”, had infiltrated the systems ten days before being detected, during which time access to system back-ups was removed, enabling the criminals to demand that the Government pay a ransom or face a rebuilding exercise that could have cost in excess of $100 million.
Furthermore, the committee said verified sources confirmed that personal data was compromised, though little detail was given on what types of data or to whom it belonged.
The report landed with an urgent recommendation that cybersecurity be treated by the Government as “critical national infrastructure” with adequate funds, resources and full-time specialist employees dedicated to it.
It said: “The committee concludes … that Government had been warned of a critical cybersecurity posture in May 2023.
“Remediation had begun, but key controls were incomplete or not fully operational when the attack occurred.
“The committee further concludes that the incident exposed weaknesses not only in technical controls but also in governance, implementation discipline, resource allocation, workforce capacity, data compromise disclosure, public communication and financial accountability.”
A risk assessment provided by cybersecurity firm Cyberdine identified a high probability of successful attack and limited recovery capability, with causes including resource constraints, gaps in strategic direction and attack vectors such as ransomware, phishing, privacy breach, cloud-based breach and third-party risk.
“Evidence received by the committee indicates that there may have been a gap in institutional awareness regarding the assessment after leadership changes,” the report said.
“The committee does not make a personal finding against any individual on this point.
“Rather, the issue is one of governance continuity; a critical cybersecurity assessment should not depend on informal memory, personality or individual handover.”
The document said that the period from May 2023 to September 2023 was one of the most important periods in the committee’s review, adding: “Government was on notice of critical cybersecurity risk before the attack …
“However, governance maturity, funding, specialist staffing, enterprise monitoring, disaster recovery and cross-sector co-ordination did not consistently keep pace with the growth in digital reliance.”
Its top recommendation was: “Bermuda must now treat cybersecurity as a standing national resilience priority, not as a project-based or incident-driven function.”
The final committee was chaired by Lawrence Scott, a Progressive Labour Party backbench MP, and members included Scott Simmons and Jamahl Simmons, also PLP MPs, and Dwayne Robinson, a One Bermuda Alliance MP.
The committee was initially appointed in October 2024, more than a year after the severely disruptive attack.
It was dissolved, along with the rest of the legislature, when a General Election was called for February 2025.
The committee was reinstated in May 2025, when members included Opposition senator Dion Smith, who resigned his post in the Upper House this year.
The September attack shut down many government services for months with significant disruptions affecting everything from digital payment processing to court operations and customs systems.
• More to follow
• To see the report, see Related Media

