By NEIL HARTNELL

Tribune Business Editor

nhartnell@tribunemedia.net

Technology specialists yesterday voiced fears that hackers may start viewing The Bahamas as “an easy target” unless the Government, private sector and others start treating cyber security “more seriously”.

Duran Humes, chief executive of Plato Alpha Design, a software development firm, speaking after BISX-listed Arawak Port Development Company (APD) revealed it was hit by a ransomeware attack in April 2024, told Tribune Business he was aware of cyber security breaches occurring in The Bahamas at the rate of one incident per week.

Describing that as “a bit more frequent” than he would wish, Mr Humes called for this nation to go beyond the Government’s Cyber Incident Response Team (CIRT) and create a “force” of cyber security specialists - similar to the police and Defence Force - to guard “the front lines” of this growing threat especially given the growing reliance on a knowledge-based, digital economy.

Keith Roye, Plato Alpha Design’s chief operations officer and a Tribune Business columnist, echoed his colleague’s concerns in telling this newspaper that micro, small and medium-sized (MSME) Bahamian businesses are likely to be “very vulnerable” to cyber criminals simply because they lack the financing, technical resources and expertise to properly protect themselves.

He added that breaches, especially those that result in customer data being lost, stolen or hacked, can do tremendous damage to a company’s reputation and operations for once clients are made aware they will often switch their business to rival companies.

“Breaches are definitely happening at least once a week here in The Bahamas, which is a bit more frequent than I would like it,” Mr Humes said. “It’s definitely something companies should take seriously. We’re seeing a lot of companies looking to move towards the cloud, which is exposing their data and information even more.

“A lot of companies, because of COVID, started to work from home and some have not fully gone back to the office. Some are doing hybrid approaches, but that’s exposing them to any number of vulnerabilities. On top of that, frauds and scams are ever increasing.”

Mr Humes pointed to the surge in What’s App scams that occurred two to three weeks ago, revealing that he almost fell for requests to send someone $1,000 because they were in financial difficulties and having trouble paying their bills. “I had at least six different persons asking for $1,000,” he recalled. “They almost got me; they almost did. They were asking for $1,000 to help with something and pay their bills.”

Explaining that scammers had hijacked the What’s App number and contacts of persons who were fooled into clicking on Zoom links, Mr Humes said other persons were conned into sending funds. He added that when he tried to obtain information from the scammers, he was only given two payment options.

“That really should have instantly been a red flag,” the Plato Alpha chief explained, “but people still went ahead and paid. Definitely cyber security is something we should take extremely seriously, especially with the Government pushing digital transformation, Artificial Intelligence (AI). Even as recently as yesterday, or the day before, we had the minister of education speaking about digitisation.”

Given this trend, Mr Humes said The Bahamas must press forward and “get cyber security in a much better place than it is now”. He added that much of this drive has to focus on education and awareness, such as not clicking on Zoom links transmitted by What’s App.

“We as the good guys, the good actors, have to be ready all the time. The bad guys only have to be good once and you’re stuck in a ransomware situation,” Mr Humes added, warning that many Bahamian companies “pretty much ignore the Data Protection Act, sad to say”, even though it provides guidelines for the implementation of best practices.

“Data is the new currency,” he added. “Persons having access to it can sell it to scammers, spammers, whoever they are. It’s an easy market. Cyber security becomes incredibly important as we move away from paper documents which are much harder to obtain.” 

With nothing in Bahamian law to mandate that companies must publicly disclose cyber security breaches, Mr Humes said: “It definitely opens up a brand new field which I hope a lot of young people get into, cyber security, which really needs persons who are analysts and on the front lines.

“Like the police force and the Defence Force, we need to have a force of persons who know what they’re doing to set us up in the right way. We have the national CIRT, but are definitely going to need more resources. Things are definitely going to have to ramp up.”

Mr Roye, meanwhile, urged Bahamian companies to either hire “a full-time security person to make sure different metrics are in place, such as firewalls, or engage security companies to do penetration tests of infrastructure to ensure there are no data leaks, no vulnerabilities and plug them as soon as possible”.

Referring to the APD ransomware attack, he added: “I think this proves it’s a big threat. In my experience, I haven’t seen a whole lot of companies take their security particularly seriously and my fear is if these hackers or whoever is behind this get the idea The Bahamas is an easy target they will start to hack into a lot more Bahamian businesses.

“My advice would be for Bahamian companies to take the necessary action and put in the appropriate measures because it will have a significant impact from an operational standpoint and data security standpoint. If your systems are compromised your customers may not feel you are safe, and cease doing business with you. It might cause customers to switch vendors and do business with someone else.”

APD said it paid no ransom over the April 2024 intrusion, which resulted in data systems temporarily becoming “inaccessible” and Nassau’s major commercial shipping port having to revert to manual processes to resume operations. It described the disruption as “minimal” and the incident was resolved in just over two weeks.

In an explanation likely to provide a wake-up call to other Bahamian businesses on the perils and risks posed by cyber crime, especially the likes of ransomware, APD’s audited financial statements said: “On April 18, 2024, the company identified and responded to an Akira ransomware attack, which encrypted certain data systems including those used to record financial data, resulting in servers and on-premises applications being inaccessible for a brief period of time.

“Prompt action was taken to contain the incident and secure the systems, including engaging an external IT service provider to assist with the recovery process and a third party Cyber Incident Response Team (CSIRT) specialist who conducted a forensic investigation of the incident and provided an investigative summary report. Management also notified the Bahamas Computer Incident Response Team (CIRT-BS) and the Royal Bahamas Police Force.

“Management, with the aid of the IT service provider, was able to restore and rebuild the financial data impacting the financial statements. The company switched off Internet-facing systems and reverted to a manual process to resume business operations,” APD continued.

“During recovery, back-up files were restored and quarantined. Upon full recovery of systems, electronic records were updated to include the data that could not be recovered and the data captured during the manual operation period. All impacted systems had been successfully restored with minimal disruption to their operations by May 2, 2024.”

Assessing the fall-out, APD added: “Due to the full encryption of nearly every server in the APD environment, lack of available logs and the number of devices/applications in the APD environment with known exploitable vulnerabilities, the third party CSIRT was unable to confirm the root cause of the attack.

“However, the CSIRT investigation found no evidence of data exfiltration or significant disruption to operations. The company did not make any ransom payments. The incident did not result in any material financial impact or loss of revenue.

“Management has taken further steps to enhance our cyber security measures and mitigate future risks based on guidance/recommendations from the CSIRT investigative summary report. This event has been disclosed in accordance with regulatory requirements and international best practices to inform our stakeholders of the potential risks associated with cyber threats.”