On October 1st, 2024, the Barbados Today media company published an article indicating the Barbados Revenue Authority (BRA) and police are investigating a reported breach of the BRA vehicle registration data. The article references an official statement from BRA stating they were aware that some vehicle registration application information was circulating on the internet and social media and were actively investigating the incident. The article further quoted the official statement indicating, “[BRA] understands that restricting access to the vehicle registration portal is disruptive to Barbadians, and we regret the inconvenience that these necessary precautions have caused for the public.”
The CBC Barbados X (Twitter) account posted an audio snippet from Minister of Industry, Innovation, Science and Technology, Marsha Caddle, on October 1st, 2024. The Minister indicated she is aware of the breach at BRA and, based on investigations at the time, the breach was isolated to the vehicle registration application. In response to the tweet, one X (Twitter) account replied, suggesting the Minister’s comments were not factual and the breach was not limited to vehicle registration data but included all data housed on the server containing the application.
The response to the post was made by pryx (@holypryx) and included a file directory screenshot showing various Microsoft Excel spreadsheet files, JSON files (a machine-readable file exchange format) and subdirectories for AFL, General Services, Vehicle Registration and several Visitor Permit directories. The profile of the user account included a link to a dark web page which bears their name and logo. The “blogs and breaches” section of the site included a post titled, “Barbados Gov Breach – September 29, 2024” with the subtitle “230GB of uncompressed data – driver’s licenses, social identification, and legal documents from a Barbados government facility.” Opening the post takes visitors to a page titled, “We hacked the n*****s lol,” which states the following:
For Sale: Tax and tourism fees service dump (230GB)
Dump contains 230GB of uncompressed data – driver’s licenses, social identification, and legal documents such as vehicle registration. Breached from a Barbados government facility.
The dump includes a database structured across 8 XLSX files with ~70k rows. Each file contains personal and contact information such as:
Full Names
Email Addresses
Phone Numbers
Passports and national ID numbers
Driver’s license numbers
~60k PDF documents containing photos of all legal documents mentioned above, named after the application.
And yeah, tourists are there too 😉
The post then further had 5 sample files for review, allowing any interested party to validate the information available before sale before contacting them to purchase. The ISSA Barbados Chapter (BISSA) was able to review the PDF files provided and can confirm they included:
- Personal photos
- Front and back photos/scans of personal IDs and driver’s licenses
- Pictures/scans of Transfer letters of vehicles
- Pictures/scans of Proof of Car Insurance
- Pictures/scans of Customs & Exercise Department receipts for vehicles
- A copy of a Certificate of Continuance of a fast food outlet
- At least one (1) picture/copy of a letter of vehicle repossession from an insurer
No confirmation could be made of the validity of the information included in the PDFs, however, based on initial review, they do appear to be data belonging to Barbados residents and also includes front and back images of the driver’s license of one (1) South Carolina resident.
October is Cybersecurity Awareness Month, and it’s extremely disheartening and concerning for this incident to happen at the start of this month. BISSA, is a local Chapter of ISSA (Information Systems Security Association), a not-for-profit, international organisation of information security professionals and practitioners. Our Chapter has a mission of increasing information security awareness in Barbados, through education and skills development. Incidents like the one encountered by BRA are at the epicentre of those we try to prevent.
Based on the Data Protection Act (DPA), 2019, the data which may have been exposed in this incident includes personal data and may include some sensitive personal data. Section 4(1)(f) of the DPA states under the “Principles relating to processing of personal data,” it shall be, “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
“Appropriate security” is a very general term, however, in the realm of all data which exists, personal data is one closest to the top, and requires multiple organisational structures, processes and security measures. In the absence of the regulation explicitly defining security requirements for personal data, there are frameworks and standards such as the NIST Privacy Framework and ISO 27701 (security techniques – extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management – requirements and guidelines) which provide adequate guidance.
Information security is a cost of doing business. For both the public and private sector, the customers are the same, and they are entitled to appropriate security measures for protecting their data. The impact of this incident may be one felt for some time in the short term. Not all incidents grace the media headlines. However, with systems housing personal data of Barbados, US and UK nationals, the need to disclose privacy incidents to those affected is mandatory based on appropriate regulations. The attacker’s post suggests they have analysed the files exfiltrated and may have the personal details of up to 70,000 people. These persons and the organisations they are associated with may be subject to further targetted attacks now their personal details, as well as some signatures, job titles, suggested income status have been exposed.
Barbados is a small country, however, with any internet facing systems, it is open to being targetted on the world stage. The rules of “too small to be a target,” do not apply, and as we continue through the month of October, let us all as individuals, households and organisations, do our part to “Secure Our World,” this month’s theme for Cybersecurity Awareness Month.
UPDATE: October 10th, 2024
The X (Twitter) account for pryx (@holypryx) posted another comment in reference to the BRA attack, sharing a conversation exchange between two individuals suggesting they have not been contacted by either BRA or the Barbados government. Then commenting that if there are buyers of the data by the end of the month, they will be leaking the data they exfiltrated.
UPDATE 2: October 18th, 2024
The X (Twitter) account for pryx (@holypryx) posted a new comment referencing a post on Instagram by the CBC Barbados. The alleged attacker shared a link with the comment “1 gb of samples since bb gov is still confused about paying the ransom.” Fortunately, the at the time of this post, the link is expired. However, that doesn’t negate the possibility of the sample files being downloaded by individuals with malicious intent.