Records from the Barbados Revenue Authority such as property tax records and vehicle owner’s registration records are being offered for sale, but is the government even aware that personal information has been acquired and is at risk of misuse?
According to a post on a well-established Russian-language forum, there are 230GB of uncompressed data that includes driver’s licenses, social identification, and legal documents such as vehicle registration. The seller also claims that a database has 8 .xlsx files containing full names, email addresses, phone numbers, passports and national ID numbers, and driver’s license numbers.
The listing includes some sample files as proof of claims.
DataBreaches was provided with some additional details and proof by a spokesperson for the seller (“Pryx”). A screencap provided to this site showed that Pryx had access to the admin portal for the Barbados Revenue Authority. A second screencap indicates that while in that portal, Pryx inserted code for a fake captcha scam that can lead to malware injection (the same scam as the one independently described on X). In response to questions from this site, their spokesperson responded that they didn’t pursue using the captcha scam because they had already dumped the data and didn’t need it. They left it in the portal, however, and the government’s IT people or forensics team will likely find it.
When asked if they still had access to the portal, Pryx commented that even if the government changed passwords, they might still be able to regain access if the government does not figure out the vulnerability they exploited to gain access.
Personal Information in Files
As noted above, some files contained personal information, but it appears that not all files with personal information were restricted to Barbados citizenry. One of the proof of claim files contained an image of the driver’s license of someone from South Carolina whose relative may own property in Barbados. Other proof of claim files included images of people fishing or just engaging in leisure pursuits. Some files appeared to contain religious or inspirational messages. Why the government would store those files was not intuitively obvious to DataBreaches.
DataBreaches emailed the Barbados government yesterday to ask about the incident and their response. Pryx had claimed that he had emailed them a monetary demand to delete the data but that they had not responded at all. DataBreaches sent this site’s questions to the Prime Minister, the Barbados Government Information Service, and the Barbados Revenue Authority. No reply has been received by publication, so although the revenue-related files appear likely to be genuine, the government has neither confirmed nor denied any breach at this point.
Post-publication, the above was edited to correct the name to Barbados Revenue Authority. The previous version incorrectly called it the Barbados Revenue Agency.
Update of October 3: The government did not respond to this site’s inquiries, but Starcom reports that the government has confirmed a data breach at the Barbados Revenue Authority but claims that it’s limited to the vehicle registration system. DataBreaches sent a second email to the government and privacy@ email addresses asking about the general service files and files with personal information in the VPE and VRE files. After reviewing additional files provided to this site by Pryx, DataBreaches notes that even if personal information of tourists or those seeking to get driving privileges in Barbados are stored in the vehicle registration system, it is still a lot of personally identifiable information that can be misused by criminals. Will the government mail or contact people from so many different countries to alert them to the breach?
The government did not respond to this site’s second email.
DataBreaches notes that Barbados Today reported on the breach and cited concerns consistent with those raised by this site:
Charging that the Barbados Revenue Authority (BRA) might have suffered the most extensive data leak to date, cybersecurity expert Niel Harper warned that a massive amount of sensitive information has been exposed and blasted the government’s response as inadequate.
Harper is charging that the breach is far more serious than what has been disclosed by officials, accusing them of downplaying the scale of the incident.
Harper, managing director and digital trust practice leader at Octave Cyber Security Group, said he sent correspondence on the issue to Attorney General Dale Marshall and Minister of Industry, Innovation, Science and Technology Marsha Caddle advising on what needed to be done as a matter of urgency to mitigate further harm to affected individuals. He said he had also reached out to Prime Minister Mia Mottley but had yet to receive a reply from any of the three officials.
Read more at Barbados Today.
For a government that stated they were going to be transparent about this breach, it would help if they actually responded to this site and to a cybersecurity expert in their own country who also has questions and concerns.