HAMILTON, Bermuda, CMC – The government says an investigation into last Thursday’s “major cyberattack” severely hampered government information systems and has failed to unearth any evidence that third parties accessed personal information.
Premier David Burt told a news conference that any data held on government files did not appear to be compromised, even though he acknowledged that “a significant amount of data on our systems.
“We are going through the forensic process to identify what, if anything, was exfiltrated. At this point in time, as of the report that I had with a briefing from our international team, they have not been able to uncover any forensic evidence of exfiltration.
“That does not mean that they may not be discovered, but they’re going through the process of careful and significant forensic investigation so that we can identify what has happened,” Burt said, adding that if any evidence of a breach is detected, affected people will be notified immediately.
Burt has promised that “we will act in the best interests of our citizens, and it will be responsible for the Government of Bermuda to make sure that we notify persons if their data has been compromised.
“If there is a data breach that is confirmed, we will, of course, contact affected persons and organizations with information and guidance on protective measures, and for all persons, whether or not this happened, we recommend vigilance against phishing attempts and encourage regular password updates,” said Burt.
The government has already indicated that it will provide the public with “accurate and timely information once we have a clear understanding of the data that may have been accessed” and will engage with the Privacy Commissioner and other relevant international authorities as appropriate, to ensure that all necessary notifications and actions are taken.
The Privacy Commissioner, Alexander White, said there were several reasons why organizations that hold information on private citizens should notify those individuals if there has been a security breach.
“Data-breach notification requirements, such as those found in the Personal Information Protection Act, are intended to warn individuals about potential adverse effects so they may take steps to protect themselves.
“This messaging is also an opportunity for the organization to communicate to their customer or client the measures they are taking to address the issue and mitigate potential adverse effects.”
Under personal information protection laws, organizations possessing private data on individuals must contact the Privacy Commission if they have been the victim of a cyberattack. They must then notify any individual who may be affected by the breach.
However, those rules come into effect in January 2025.