HAMILTON, Bermuda, (CMC) – The Bermuda government says an investigation into last Thursday’s “major cyberattack” that severely hampered government information systems has failed to unearth any evidence that personal information was accessed by third parties.

Premier David Burt told a news conference that any data held on government files did not appear to be compromised even as he acknowledged that there was “a significant amount of data on our systems.”

“We are going through the forensic process so that we can identify what, if anything, was infiltrated. At this point in time, as of the report that I had … with a briefing from our international team, they have not been able to uncover any forensic evidence of exfiltration at this time,” he said.

“That does not mean that they may not be discovered but they’re going through the process of careful and significant forensic investigation so that we can identify what has happened,” Burt said, adding that, if any evidence of a breach is detected, affected people will be notified immediately,” he added.

Burt has promised that “we will act in the best interests of our citizens and it will be responsible for the Government of Bermuda to make sure that we notify persons if their data has been compromised.

“If there is a data breach that is confirmed we will of course contact affected persons and organisations with information and guidance on protective measures, and for all persons, whether or not this happened or not we recommend vigilance against phishing attempts and encourage regular password updates,” said Burt.

The government has already indicated that it will provide the public with “accurate and timely information once we have a clear understanding of the data that may have been accessed” and will engage with the Privacy Commissioner and other relevant international authorities as appropriate, to ensure that all necessary notifications and actions are taken.

The Privacy Commissioner, Alexander White said there were several reasons why organisations that hold information on private citizens should notify those individuals if there has been a security breach.

“Data-breach notification requirements, such as those found in the Personal Information Protection Act, are intended to warn individuals about potential adverse effects so they may take steps to protect themselves,” said White.

“This messaging is also an opportunity for the organisation to communicate to their customer or client the measures that they are taking to address the issue and mitigate potential adverse effects,” White added.

Under personal information protection laws, organisations in possession of private data on individuals must contact the Privacy Commission if they have been the victim of a cyberattack. They must then notify any individual who may be affected by the breach.

However, those rules do not come into effect until January 2025.