Bermuda IT systems still affected by hack ten weeks on
Government IT systems are still being affected by the massive September cyberattack, which was first reported ten weeks ago, while the exact nature of the hack and whether personal data was stolen remains a mystery.
“It would not be appropriate to disclose specific details about the extent or nature of the cyberattack,” a government statement on Monday said.
The remaining issues seem mainly related to e-mails, including some messages sent to public authorities going astray, based on anecdotal information shared with The Royal Gazette by people with gov.bm addresses.
“The majority of government systems are available but still have some minor issues that are being addressed by the IT teams,” the statement said.
“This is having some effect on service delivery.”
The statement did not give details but noted that though the e-mail system was “restored” after the September 20 hack, “certain issues persist, which our IT team is actively resolving”.
“Concurrently, we are in the midst of enhancing and migrating the e-mail system, a process that may result in minor service disruptions as we strive for improvements.
“Individual e-mail concerns are being handled on a case-by-case basis.”
No information has been given about how many e-mails had disappeared or whether a log was being kept of messages reported missing.
The Deputy Governor told the Gazette last month that an e-mail sent from the newspaper to his gov.bm address was never received.
“I’m afraid that e-mails received in the weeks after the cyberattack may have gone astray, as was the case for your October e-mail,” Tom Oppenheim said.
A civil servant told the Gazette that an e-mail sent by a reporter on November 9 never arrived.
External links to bermudalaws.bm, a site maintained by the Attorney-General’s Chambers, are not working but it is not known whether the issue is related to the cyberattack.
The Premier, David Burt, and his Cabinet colleagues have been tight-lipped on the nature of the cyberattack, including whether it involved ransomware and whether personal data was exfiltrated.
A police investigation continues, and a parliamentary committee will be tasked with looking into how it happened and the Government’s response.
“The Government will initiate a full inquiry into the matter, and the findings will be made public,” the statement said.
“We assure the public that every effort is being made to resolve any outstanding issues promptly.”
A comprehensive list of services that went down was requested but not made available by the Government. An online list is available, though it is not clear when it was last updated.
On Monday, the Government published a request for proposal on the government procurement website seeking cybersecurity firms to carry out “external penetration tests” on computer systems.
The request said the aim was to find a vendor to conduct “external penetration tests” on specific software systems, including the tax and web portals.
“The selected vendor will be responsible for performing in-depth assessments to identify and address potential vulnerabilities in these critical systems,” it said.
The deadline for submissions was listed as 5pm on December 15, with the agreement expected to be signed on January 3.