IT consultant mocks MGM hack days before Bermuda attack
A foreign contractor being paid nearly $25,000 a month by Bermuda’s taxpayers for cybersecurity services described a cyberattack on a multibillion-dollar casino operator as “a real blow against the brand reputation”.
Christopher Warner posted on social media about the breach of MGM Resorts International just days before Bermuda Government IT systems were hacked, causing chaos to public services.
Two weeks on from the hacking, residents remain in the dark about whether it was a ransomware attack, who was responsible and whether any of their government-held confidential data was stolen.
Mr Warner wrote on LinkedIn: “First BetMGM online breach in January, now this. What is going on inside MGM? A real blow against the brand reputation!”
He has not responded to e-mailed questions from The Royal Gazette about the infiltration and possible encryption of Bermuda Government servers on September 20.
The Department of Communications did not respond directly to a request made a week ago for an interview with Daron Raynor, chief information officer at the Department of Information and Digital Technologies, about the continuing crisis.
But a government spokeswoman said last night that for “security reasons, there is limited information that can be shared as the integrity of the restoration process must be protected”.
She added: “The Government extends its thanks and gratitude to all the public servants and private sector entities who have worked around the clock to aid in re-establishing our operations.”
Cyberdine, Mr Warner’s company, received a contract from IDT, which is part of the Cabinet Office, last August. It was awarded without a competitive bidding process, with the approval of Derrick Binns, the Head of the Public Service at the time.
The contract ran between August 10, 2022 and January 31 and was for $179,000, or about $29,000 a month.
Mr Warner said on his LinkedIn profile that he joined the Government of Bermuda as virtual chief information security officer, describing it as a “challenging and rewarding engagement working with a great team”.
He wrote: “It is truly like being the chief information security officer for 60 separate companies at the same time.”
CISOs are generally senior executives, with responsibility for information, cyber and technology security within an organisation.
The Canadian consultant added the position of deputy chief information officer to his LinkedIn profile in February.
When the Gazettereported on the Cyberdine contract in April, the Government denied that Mr Warner was the deputy chief information officer.
It then issued a follow-up statement, explaining that IDT had an “unsuccessful recruitment for the role of deputy chief information officer several months ago, as well as other vacancies in key areas” and so “steps were taken to identify interim resources to provide support”.
A government spokeswoman said at the time that there had been another recruitment exercise for a deputy chief information officer and it was “anticipated the post will soon be filled“, with the job of chief information security officer also to be advertised.
The Government did not answer a question yesterday about whether the recruitment was successful. Neither position appears on the organisational structure chart on IDT’s public access to information statement.
The government spokeswoman said in April that Cyberdine’s contract was renewed after it ended and the company was receiving $23,750 a month for cybersecurity services.
Mr Warner’s LinkedIn profile still describes him as the Government’s virtual chief information security officer, reporting directly to Mr Raynor.
The Cyberdine contract was made public in a notice published in the Official Gazette by IDT last December.
The notice listed about $3 million of contracts held by the department, including one for almost $300,000 with Info-Tech Research Group, a London, Ontario company, for research between April 2022 and April 2023.
Mr Warner’s LinkedIn profile states that he worked at Info-Tech between January 2018 and February 2023.
Info-Tech describes itself as the “world’s fastest-growing information technology research and advisory company”.
It warns on its website that cybersecurity suffers in organisations because of an inability to retain and hire cybersecurity talent, a lack of modern technology and skilled workforce, a failure to leverage digital technology, such as AI, and a lack of government investment in cyber technology, cyber products and cyber workforce development.
Info-Tech tells clients that a “comprehensive cybersecurity workforce development strategy addresses the inability to hire staff with the desired skills”.
The government spokeswoman said last night: “Cyberdine is a partner of the Bermuda Government and has provided invaluable support and dedicated resources in the restoration of affected services.
“Cyberdine has been instrumental in managing critical priorities and providing overarching security guidance to the Government.
“The Government continues its process of extensively reviewing its cyber security infrastructure and implementing enhanced security measures.
“Cyberdine has been a critical collaborator in working with the Department of Information and Digital Technologies in advancing this process.”
She did not share specific details about the services provided by Cyberdine, Info-Tech and other cybersecurity contractors.
Mr Raynor, a Bermudian, was hired as CIO in 2020 after 25 years working overseas, most recently as programme and IT manager for Montgomery County in Ohio.
Need to
Know
2. Please respect the use of this community forum and its users.
3. Any poster that insults, threatens or verbally abuses another member, uses defamatory language, or deliberately disrupts discussions will be banned.
4. Users who violate the Terms of Service or any commenting rules will be banned.
5. Please stay on topic. "Trolling" to incite emotional responses and disrupt conversations will be deleted.
6. To understand further what is and isn't allowed and the actions we may take, please read our Terms of Service