0

HACKERS STRIKE AT GOVT SYSTEM: Russians and Bulgarians behind cyber raid on key banking and personal data

Attorney General Carl Bethel. (File photo)

Attorney General Carl Bethel. (File photo)

By NEIL HARTNELL

Tribune Business Editor

nhartnell@tribunemedia.net

The Government is "betwixt and between" over the Registrar General's Department's cyber security woes after being forced to again shut down its online database following fresh hacking attempts.

Carl Bethel QC, the attorney general, told Tribune Business that the agency's online portal was closed "last week" after the Royal Bahamas Police Force (RBPF) detected fresh "incursions" that were traced back to Internet Protocol (IP) addresses in two eastern European countries.

While Mr Bethel declined to name the states involved, this newspaper understands from separate sources that the latest efforts to penetrate the Registrar General's Department originated from Russia and Bulgaria - both of which are known as established sources of hacking and cyber crime.

He blamed the latest series of hacks on the former Christie administration's failure to properly implement the recommended security measures when the Registrar General's Department was hacked for the first time, slamming the situation as "inconceivable".

However, these claims were yesterday refuted by his predecessor as attorney general, Allyson Maynard-Gibson. She told Tribune Business that "every technological upgrade" required under her watch was implemented, and that the Minnis administration needs to start taking responsibility given that it was elected to office more than three years ago.

The latest shut down, which comes just months after the Department's database was hacked in a separate January incident, has caused further frustration for the ease and efficiency of conducting business in The Bahamas even though Mr Bethel said it will likely re-open by week's end once "several layers" of new cyber security defences have been deployed.

The Registrar General's Department is the hub around which much of corporate Bahamas and, in particular, the financial services industry functions. It plays a critical role in the incorporation of companies and other Bahamas-domiciled vehicles, such as International Business Companies (IBCs), all of which are key cogs in structures employed by high net worth and institutional financial services clients.

The agency handles annual company filings/returns, and the payment of associated fees and name reservations/searches. Patent applications and approvals; the recording of deeds and documents, such as real estate conveyances; and births, marriages, deaths and adoptions are among its other core functions, meaning the Registrar General's Department touches every Bahamian and resident at some point in their life.

The closure of the online portal and database has thus meant that attorneys and the private sector have been forced, at least temporarily, back to a manual system for performing daily corporate functions, resulting in extra cost and time plus inefficiency. Marlon Johnson, the Ministry of Finance's acting financial secretary, confirmed to Tribune Business that new Business Licence applications are among the processes impacted.

"We shut it down last week," Mr Bethel confirmed of the Registrar General's online portal and electronic database. "We had opened it temporarily, and noticed according to the scans conducted by the police that there were attempted incursions by two IP addresses in eastern European countries.

"I cannot name them, but they are countries in the far east of Europe not in the European Union (EU). That's what our information is. I shut the whole thing down. We put in a drop box service which the whole industry should know about. We're trying to put in several layers of defences as an interim solution, but it will take a week. By this time next [this] week we will be up and running with additional defences."

Tribune Business sources confirmed that the two IP addresses involved were traced by the Royal Bahamas Police Force to Russia and Bulgaria, although Mr Bethel declined to comment on this.

The latest hacking attempts, following so swiftly behind the January incursion by the Distributed Denial of Secrets group, and the 2016 breach by the International Consortium of Investigative Journalists (ICIJ), threaten to spark concerns about the security and integrity of sensitive personal and financial data held in The Bahamas.

This, in turn, could be detrimental to the country's ability to attract fresh business and investment post-COVID-19 even though none of the incursions and attempted penetrations at the Registrar General's Department appear to have seized anything of real value. Both the ICIJ and Distributed Denial of Secrets obtained only companies registry information, including lists and names of directors, that is publicly available for a fee.

However, with cyber security set to assume ever-greater importance in the post-COVID-19 world, Mr Bethel revealed that he was seeking to split up the Registrar General's Department's electronic database into several separate ones based on their functions.

This, he explained, will mean that the companies registry will be separate from that of births, marriages and deaths. With these on separate servers, Mr Bethel said any hacker able to penetrate one of these databases would be unable to access all - as they can presently.

Pledging that the companies registry will have additional cyber security defences "to guarantee the complete integrity of that system", the attorney general revealed that multiple government agencies can currently access the Registrar General's Department's online portal. This, he disclosed, creates extra risk and potential openings for hackers to exploit, noting that the ICIJ intrusion "came through another government agency".

Declining to name the culprit, Mr Bethel added: "Every government agency you care to name has access to the portal. NIB, tourism, which needs to count shipboard weddings in Bahamian waters.

"We're betwixt and between. There are two things going on. One is to try and put in some security restrictions and take steps to correct the errors left in place. The errors in 2016 we have corrected as of now, and are trying to put in layers of security to allow us to open.

"I'm also trying to find ways to differentiate the different registries," he continued. "Tourism, which needs to keep track of weddings on cruise ships and persons coming to The Bahamas to be married, will only have access to that part of the registry. NIB, which needs access to births, marriages and adoptions, will only have access to that part of the registry.

"We need segregated databases so that if someone is able to hack one part they can only get into that. We're working on a number of fronts." Mr Bethel said the Government was also developing a "temporary approach" to ensure Business Licences and other related filings could continue.

"That will be on a restricted basis, but hopefully by Monday [today] we will have something that will allow Bahamian entities - in terms of their relationship with the Department of Inland Revenue - to have a certain amount of access."

Mr Johnson, at the Ministry of Finance, confirmed to Tribune Business that the lost access to the Registrar General's Department's online portal had impacted new Business Licence applications as entrepreneurs were delayed in incorporating, reserving business names and ensuring they did not duplicate firms already in existence.

"It's the incorporation and registration of names. They have to search the registry's system when you register a business name," he explained. "It has impacted our Business Licence processes. However, the team has put together a manual work around. It has slowed us down but hasn't stopped us. I'm told they're to the point where it should be rectified."

Mr Bethel, meanwhile, said the COVID-19 pandemic had also delayed the arrival of a company that has been contracted to build a database which captures "historical" companies information going back to a certain year and marries this with current information.

He added that this project, designed to reduce the number of persons coming to the Registrar General's Department to conduct searches, would begin once travel restrictions ease. However, Mr Bethel said the Government's new technology and digital department was "not on the same page" with regard to this project - something he intends to rectify vis a series of meetings over the coming weeks.

Blaming the weaknesses in the Registrar General's Department's defences on the former Christie administration, Mr Bethel said the current government had been under the impression that the weaknesses exposed by the ICIJ had been rectified until it discovered otherwise via the Distributed Denial of Secrets hack.

"None of the measures to defend against future hacks were implemented by the former administration and former registrar general," he told Tribune Business. "Nothing had been done to correct the errors that led to the ICIJ. We were unaware they had not taken the protective measures. None of us were given the information when we came in. We didn't know the circumstance.

"The [Distributed Denial of Secrets] hack started in October 2019, and between then and February they got the information. The system did not have any alert contrary to what we were advised. We were entirely unaware of what was happening until the information was published. That's how drastic it is.

"We cannot afford to make the same mistake twice, or a third time, due to ignorance on our part as to what has been recommended and not implemented. It's inconceivable that, having gone through the embarrassment of the ICIJ hack, these measures were not implemented. Inconceivable."

This, though, was rejected by Mr Bethel's predecessor, Mrs Maynard-Gibson. She said, in a statement to Tribune Business: "So far as I am aware, at all times that I had responsibility for the Registrar General’s Department (RGD) every technological upgrade was done under the recommendation of - and implemented by - the outstanding Bahamian professionals at what was then called the Department of Information Technology (DIT) of the Ministry of Finance and BTC.

"During the course of RGD upgrades, these Bahamian professionals discovered that a previous FNM administration had given sole access to information in the companies registries and other information at RGD to a non-Bahamian vendor. Also, a previous FNM administration had given a Bahamian vendor unimpeded access to the documents at RGD and the Supreme Court Registry.

"The Bahamian professionals at DIT and RGD were concerned about the security of this information. The Bahamian professionals advised that the access to the non-Bahamian vendor should be removed and repatriated to DIT. This advice was accepted and implemented. Also upon their advice, action was taken to obtain the documents (digital and hard copy) from the Bahamian vendor."

The ex-attorney general continued: "It is more than three years since the FNM became government. Its failure to implement further upgrades and act upon the recommendations of the Bahamian experts must fall squarely at its feet and nowhere else.

"Rather than blaming others, time might more productively be spent quickly implementing secure upgrades and improving The Bahamas’ ease of doing business rating. There are many Bahamian entrepreneurs that would be delighted to enter into PPPs (public-private partnerships) to accomplish these goals."

Comments

Chucky 4 years, 5 months ago

Pure BS!

Anyone with the wherewithal to hack can create the appearance of any IP address they want

Our bumbling fools continue to open their mouthed and show their stupidity and complete ignorance.

caribfp 4 years, 5 months ago

Bey i aint ga lie but they got to stop they nonsense calling it hacking because in dis day and age. They ain't educating the Bahamians with what's going on so dey ga look up a scapegoat. Share the content to more Bahamians because these people look like they selective with what's being published. https://www.lukayans.com/10-things-onli…

Porcupine 4 years, 5 months ago

Can the blame game go on forever? Bethel is showing himself as someone who is too much a part of the problem.

tribanon 4 years, 5 months ago

Minnis and this mangy potcake of his, Bethel, would blame the China virus on the PLP if they believed they could get away with doing so.

Truth be told the FNM government has allowed itself to be pressured by the EU, OECD, FATF, etc. into gathering highly sensitive information on the beneficial ownership and business activities of most types of entities domiciled in the Bahamas. This highly sensitive personal business information is now stored on data bases kept by the registered agent of the entity as well as the Registrar General's Department (RGD). But many of the registered agents and the RGD itself do not heavily invest in secure IT systems and/or costly qualified IT personnel on a sustained basis. Today there's no such thing as personal financial or business privacy, especially in countries like the Bahamas that are under resourced and in a financial mess, and therefore are much too easily manipulated by foreign governments seeking to protect or increase the tax base of their citizenry globally.

And even when they do make significant IT investments, they usually do not get bang for the buck and are all too easily often taken to the cleaners by unscrupulous IT consultants, both local and foreign. The recent spate of serious cyber-criminal hacks of government maintained databases is sending a loud and clear message to the global financial community that the Bahamas is not a secure place to do business if you truly value the privacy of your more highly sensitive personal business information. Let's not forget too that cyber-criminals are well known to extort high networth individuals or sell their highly sensitive information to the highest bidder which often includes financial regulators and tax authorities in other juridictions who might have a keen interest in such information.

monkeyflip 4 years, 5 months ago

Ummm hello - states known for cybercrime? How about VPN!!

caribfp 4 years, 5 months ago

1st off Signing into this horse naney of news site is frustrating if i can't sign in with FB or twitter after years, and it need changing bad. Stop being cheap and go hire a top-notch professional. Second of all, bethel is full of it. He said months ago about the Standard & Poors, Mosely ratings taking advantage of the Bahamas reputation and they need to cyc.
But dey is an association from the States & Europe that makes multi-billions to trillions. Who credibility is really needed to b listen to? A hint is it ain't a be no country that struggles to make 13 billion a year & its dep to GDP ratio is +90%, that's already 11 billion dollars in debt and can't make any money for its people of only 400 thousand. 3rd those countries got Bahamas blacklisted because of this same reason. How could da Bahamian people forget that they phsihed the ZNS HQ, some shipping companies that were ID from Africa and all thee victims of money laundering? Dey still get so many cases of that dat people promoting it online. And lastly, It is not Hacking Mr. Attorney General. Thats why you sit small in law porcess and you have a central bank with FTC, CIA on dealing with Cybersecurity and Fintech. Bahamians need to catch his lying self. read what it is actually called on this site with lukayans. https://www.lukayans.com/10-things-onli… at least some places care to educate the Bahamian public because it is not hacking in most cases in dis day and age. Too many people taking money under the counter. Godbless.

Godson 4 years, 5 months ago

Preempting certain failures or missing files, government has begun laying the ground works for excuses.

Sign in to comment