4th November 2022

Regional conglomerate Massy Group has launched an investigation into a major alleged data breach at the company.

Reports are that the Hive Ransomware group has leaked online some 87,550 folders and 704,047 corporate files, allegedly belonging to Massy Stores Trinidad and Tobago.

The hackers released staff salaries, photos, personal details, copies of customers’ passports as well as internal audit documents and other financial information allegedly from the company.

Describing the development as “the largest Caribbean data breach dump to date,” the Trinidad and Tobago Guardian Newspaper reported that the documents were verified by a cyber-security expert as originating from Massy.

The leak is believed to be connected to a cyber-security attack on Massy Stores Trinidad and Tobago in April 2022 which saw the company suspend some electronic services.

“Normally they would release it much sooner, usually within two weeks, but I think because of the kind of information they got it took them a while because the hacker group… went through the data received to see what they could benefit from before releasing it to the public,” said the Guardian’s cyber-security expert. “The company took immediate action, suspending all customer-facing systems, and has been working with third party experts to resolve the situation. Backup servers were not affected, and the technical team is actively working with the expert teams to restore the system safely and in the shortest time possible,” read a Massy release at the time.

“The company is not aware of any evidence at this time that any customer, supplier or employee data has been compromised or misused as a result of the situation,” said the statement, despite claims by the Hive Group that they ran encryption on data during the attack.

In a more recent statement, Massy Stores acknowledged that more data was unlawfully accessed during the April attack than initially believed.

“Through continued investigation of the cyber-security incident, we are now aware that data unlawfully accessed by the attackers was more extensive than the preliminary stages of the investigation indicated,” said the release, adding that all potentially impacted parties were notified, given the information available at the time.

The company also challenged news reports and other information being circulated in the public domain about the cyber-attack and leak as being speculative and inaccurate.

Massy’s operation in Jamaica has also been the target of a recent cyber-attack in the second week of October 2022. “The specifics of what occurred are still under investigation by our technical experts,” said a statement by Massy Distribution Jamaica, confirming the ransomware attack.

“We remain confident that our ongoing cyber-security risk mitigation efforts have been effective to date in enabling the timely identification of and responding to this incident,” said the company, which is one of Jamaica’s largest suppliers of consumer and pharmaceutical goods.

Days later, the Jamaica Gleaner reported that approximately 17 gigabytes of data were leaked on the internet, including “personal information such as the names, addresses, taxpayer registration numbers, signatures, videos and pictures of Massy Jamaica employees and contractors”.

The Gleaner said that employee salaries, banking information of suppliers and information about the company’s business model were also dumped online.

Some legal commentators have raised questions about the risk of fraud and identity theft and argued that Massy may face lawsuits under the country’s Data protection Act which speaks to the obligations of holders of personal data to safeguard its confidentiality, integrity and availability.

Meanwhile, tech journalist, Mark Lyndersay argued in the Trinidad and Tobago Newsday that the strategy of some regional companies to attempt to keep cyber-attacks secret from the public is archaic and should be the target of updated legislation across the region.

“Until the laws regarding privacy, personally identifiable information, cyber-crime and corporate responsibility for these issues are proclaimed, companies and the public sector are under no obligation to even report breaches, far less notify affected citizens,” said Lyndersay of Massy Group’s seeming reluctance to provide full transparency on the data breach.

Photo by Markus Spiske

This is a lead article from Caribbean Insight, The Caribbean Council’s flagship fortnightly publication. From The Bahamas to French Guiana, each edition consists of country-by-country analysis of the leading news stories of consequence, distilling business and political developments across the Caribbean into a single must-read publication. Please follow the links on the right-hand side of this page to subscribe, or access a free trial.