Records from the Barbados Revenue Agency such as property tax records and vehicle owner’s registration records are being offered for sale, but is the government even aware that personal information has been acquired and is at risk of misuse?
According to a post on a well-established Russian-language forum, there are 230GB of uncompressed data that includes driver’s licenses, social identification, and legal documents such as vehicle registration. The seller also claims that a database has 8 .xlsx files containing full names, email addresses, phone numbers, passports and national ID numbers, and driver’s license numbers.
The listing includes some sample files as proof of claims.
DataBreaches was provided with some additional details and proof by a spokesperson for the seller (“Pryx”). A screencap provided to this site showed that Pryx had access to the admin portal for the Barbados Revenue Agency. A second screencap indicates that while in that portal, Pryx inserted code for a fake captcha scam that can lead to malware injection (the same scam as the one independently described on X). In response to questions from this site, their spokesperson responded that they didn’t pursue using the captcha scam because they had already dumped the data and didn’t need it. They left it in the portal, however, and the government’s IT people or forensics team will likely find it.
When asked if they still had access to the portal, Pryx commented that even if the government changed passwords, they might still be able to regain access if the government does not figure out the vulnerability they exploited to gain access.
Personal Information in Files
As noted above, some files contained personal information, but it appears that not all files with personal information were restricted to Barbados citizenry. One of the proof of claim files contained an image of the driver’s license of someone from South Carolina whose relative may own property in Barbados. Other proof of claim files included images of people fishing or just engaging in leisure pursuits. Some files appeared to contain religious or inspirational messages. Why the government would store those files was not intuitively obvious to DataBreaches.
DataBreaches emailed the Barbados government yesterday to ask about the incident and their response. Pryx had claimed that he had emailed them a monetary demand to delete the data but that they had not responded at all. DataBreaches sent this site’s questions to the Prime Minister, the Barbados Government Information Service, and the Barbados Revenue Agency. No reply has been received by publication, so although the revenue-related files appear likely to be genuine, the government has neither confirmed nor denied any breach at this point.