The personal information of some Government ministers, several parliamentarians, former senators, and titans of industry have been exposed in a cyberattack on boutique brokerage firm Mayberry Investments Limited by the Play Ransomware Group.

The information, which goes as far back as 2009, includes margin loans, the portfolio sizes of various individuals and other private details.

Thousands of files, including bank statements and other recently submitted information of various Jamaica Stock Exchange-listed companies, were also in the leak.

Mayberry clients were informed last Friday via e-mail that the company was the subject of a cyberattack and that its cybersecurity experts were assiduously working to investigate and remediate the situation.

This was followed up with a disclosure to the Jamaica Stock Exchange (JSE) on Sunday, with clients told to contact Chief Executive Officer Gary Peart via e-mail or to call Mayberry’s landline numbers.

“We are currently not experiencing any disruption in services and will continue the monitoring of this malicious activity. Additionally, we have not seen any evidence that the financial positions of our clients have been compromised. Mayberry is committed to maintaining a secure digital environment and we are actively working to further solidify our networks and systems,” an initial release from Mayberry stated.

Mayberry’s clients had received downtime advisories on May 18 and 19 which mentioned that the online platforms were currently under maintenance and the infrastructure was being refined for client satisfaction.

On May 22 and 23, different cybersecurity pages such as FalconFeedsio, RedPacket Security and Ransomware Leaks posted on Twitter that Mayberry Investments was Play Ransomware Group’s latest victim, and a June 1 deadline was set as the publication date. The ransom amount was not disclosed.

Nearly five gigabytes of information have been posted on the dark web, ranging from birth and death certificates, passports, driver’s licences and other communication between clients. The posted information also includes content related to Mayberry’s subsidiaries and its general operations including its recent financial statement audit.

The leak suggests that Mayberry did not pay the ransom.

When asked by the Jamaica Observer about the matter, Peart referred the newspaper to a new disclosure sent to clients which pointed out that several actions have been taken to mitigate and address adverse effects of the breach.

The Cyber Crime Unit of the Jamaica Constabulary Force has been contacted while direct communication has been made with clients, and an additional EDR (endpoint detection and response) solution was deployed to effectively monitor network activity.

“Subsequent to our prior communication sent on Friday, June 2, 2023, we can confirm that a security breach occurred which compromised client data. Upon advisement of the data breach, Mayberry enlisted the services of independent cybersecurity experts to carry out a detailed investigation and execute the necessary remediation to ensure that no existing threats remained,” Mayberry said in the statement which referenced its data protection officer.

Information on the Internet about Play Ransomware states that it is also known as PlayCrypt and was launched in June 2022. Since then, it has been responsible for multiple high-profile attacks, including a recent cyberattack on the city of Oakland, California in the United States that caused network outages and rendered many non-emergency systems inoperable.

Attacks spiking

This is one of the latest high-stakes cyberattacks by black hat criminals in the Caribbean over the last year.

Aeropost Inc was the subject of a cyberattack in April 2022 which resulted in clients of the Latin American and Caribbean regional logistics company seeing their debit and credit cards compromised and several charges being racked up by fraudsters. Click USA Inc has filed a claim against PriceSmart Inc, the prior owners of Aeropost up to October 2021.

Massy Holdings Limited saw its Massy stores in Trinidad and Tobago come under fire in April 2022 and Massy Distribution (Jamaica) Limited compromised in September 2022 as cybercriminals attacked the regional conglomerate. Massy made several changes to its information technology (IT) procedures following the attack.

In December 2022 a hotel in the Corporate Area was compromised in a cyberattack which saw the information of numerous guests being held at ransom. The information was originally posted on a dark web forum before it was deleted, which possibly implies that a ransom was paid to the perpetrators.

In the face of the attacks, cybersecurity experts are warning companies to take data protection more seriously as the Data Protection Act (DPA) comes into effect later this year.

“There is no guarantee you will regain access to your data, nor prevent it from being leaked. We do not encourage funding these attacks, hence we recommend not to pay the ransom. This highlights the importance of recovery strategies and controls. In the event there is a ransomware incident, companies should be able to execute these steps to recover business operations to limit downtime and loss of income,” said director of cybersecurity at Symptai Limited Rory Ebanks.

The last known major cyberattack on a local financial institution was in March 2020 at Jamaica National Group, which affected various subsidiaries including banking and money transfer platforms.

In the month prior, brokerage firm VM Wealth Management Limited had an incident in which the personal information of thousands of customers was inadvertently e-mailed to numerous customers.

The Mayberry breach has left many customers asking about the next steps as, while the initial Mayberry statement said that there is no evidence that clients’ financial position has been compromised, it has left them potentially exposed to fraudsters and other criminals who can use the information published online. Signature cards, IDs, tax registration numbers, addresses and other personal information can be used by criminals to commit fraudulent activities.

This becomes more complicated by the rise of artificial intelligence and other digital tools which can spam users via their personal numbers and e-mails. Also, a cybersecurity professional highlighted that the leaked past financial activity can make victims of the breach targets of ordinary criminals.

The Play Ransomware Group has continued to wreak havoc over the last year with cloud provider Rackspace and hospitality firm H-hotels becoming the latest victims in December.

Data protection ramifications

The DPA is set to come into effect on December 1 with all companies operating in Jamaica having to register with the Office of the Information Commissioner by November 30. Some companies will be required to have a data protection officer.

The possible legal ramifications which can occur for Mayberry in the absence of the DPA being in effect are unknown. Mayberry’s 2022 annual report referenced that the IT department was worked during the year to be compliant with the DPA which included the revision of systems and policies.

“Any citizen who feels that you’re not dealing with their data properly can independently go to the information commissioner and file a complaint which will trigger an audit,” said CEO of 876 Technology Solutions Trevor Forrest.

“If you’re audited and it is found that you’re not doing what needs to be done to secure and treat people’s data in the right way, the information commissioner has the awesome power to lock down your business. It’s truly game-changing legislation, but I don’t think people fully understand the impact it will have on businesses,” he argued.

Other IT practitioners in Jamaica highlighted that numerous companies are getting hit and many firms are not placing significant emphasis on IT spending as they focus on growing the bottom line. They also mentioned that many are not informing clients and keeping the information guarded as they try to protect their reputations.

“Cybersecurity is always a challenge, not only in the Caribbean but globally. Organisations that invest millions of dollars into cybersecurity programmes still get breached and are the victims of cyberattacks. That doesn’t mean we should not invest in cybersecurity; we must continue to leverage security best practices and improve on the layers we currently have in place, as the threat landscape continues to evolve daily,” Ebanks added.

Cybercrime has spiked in the last three years since the COVID-19 pandemic as the world has been forced to accelerate into the digital era. Forrest highlighted that the cost of cybercrime this year is US$6 trillion with projections it could hit US$10 trillion by 2025. The total cost of transnational crime was estimated at around US$2.5 trillion. The 876 Technology Solutions CEO mentioned that the age of digital warfare can see countries crippled through cyberattacks without the enemy ever physically stepping into the country.

“This one is hard. The main issue is that companies aren’t handling your data correctly. The best thing a customer can do is vet the companies you associate with. And that’s a hard enough task for customers, as many don’t have any insight into the company practices. For your accounts, don’t use personal information for security questions, passwords, or pins,” another cybersecurity expert added, on protecting personal lives in the digital age.