Committee Releases Report Into Cyber Attack
“All available indicators suggest that a ransom demand and ransom-related payment activity may have occurred,” the Parliamentary Joint Select Committee report on the September 2023 cyber attack on the Government of Bermuda said, with the report adding “the Committee does not state, on the basis of the line items alone, that the full amount was paid as ransom. However, the scale, timing, and description of those line items require full explanation.”
The 42-page report was released today in Parliament by the bipartisan committee which included PLP MP Lawrence Scott, PLP MP Scott Simmons, PLP MP Jamahl S. Simmons and OBA MP Dwayne Robinson.
The report stated, “The Committee further agrees that all available indicators suggest that a ransom demand was made and that ransom or ransom-related payment activity may have occurred. The Committee notes the Cyber Incident 2023 Budget Book line items: approximately $3.092 million under Head 10 – Ministry of Finance Headquarters, and approximately $1.323 million under Head 43 – Information and Digital Technologies, for a combined total of approximately $4.415 million.
“The Committee does not state, on the basis of the line items alone, that the full amount was paid as ransom. However, the scale, timing, and description of those line items require full explanation.
“The Committee further considers that the $4.415 million expenditure must be assessed against the alternative scenario of rebuilding Government’s affected digital environment without access to backups or original software.
“Based on comparable public-sector ransomware incidents and the likely scope of Government’s digital environment, rebuilding without access to backups or original software could have required direct 2023 market costs in the range of $25 million to $70 million, with severe-case exposure exceeding $100 million if critical data had to be manually reconstructed or legacy systems fully replaced.
“The Committee therefore recommends referral of the report and supporting materials to the Public Accounts Committee. The PAC should determine who was paid from the Cyber Incident 2023 line items, the amount and purpose of each payment, whether any payment related to ransom negotiation, decryption, data recovery, system restoration, forensic support, intermediaries, insurers, cryptocurrency facilitation, or similar activity, and whether the payment trail provides further evidence relevant to identifying parties involved in, facilitating, or benefiting from the cyberattack.”
The report concludes by saying, “The Committee concludes that cybersecurity must be treated as critical national infrastructure. The reforms recommended in this report are directed toward prevention, resilience, accountability, and the protection of the public. They are also designed to ensure that future governments, regardless of political party, inherit a stronger and more resilient cybersecurity framework than existed in September 2023.”
The report’s key findings were:
1. Government became increasingly digitally dependent over the years leading to 2023. Digital reliance increased across public services, finance, communications, and operations.
2. The 2023 risk position was cross-administration and non-partisan. Successive administrations led by both political parties governed during the accumulation of cyber risk.
3. Government was on notice of critical cybersecurity risk before the attack. The May 2023 Cyberdine assessment identified a Critical cyber risk posture.
4. The attack occurred during an implementation gap. Risk awareness existed, but key controls were not fully operational or mature before the attack.
5. Personal data was compromised. The Committee relies on independent verified sources and post-incident scam/phishing warnings in reaching this conclusion.
6. All available indicators suggest that a ransom demand and ransom-related payment activity may have occurred. The Committee’s view is based on ransomware modus operandi, comparative cases, line-item expenditure, and the unresolved public record.
7. Cyber Incident 2023 expenditure requires full review. The approximately $4.415 million in line items requires explanation of recipients, purposes, approvals, and payment trails.
8. Prevention requires national resilience reform, including a Task Force, advisory council, funding, FTEs, incident plan, ransomware framework, exercises, and parliamentary oversight.
Bernews asked the government for comment on this report and some of the statements in it and will update if able.
The Parliament of Bermuda Joint Select Committee Report follows below [PDF here]:
Read More About
Category: All, News, Politics, technology


“The Committee further agrees that all available indicators suggest that a ransom demand was made and that ransom or ransom-related payment activity may have occurred.”
So, the PLP Government will not tell the Parliamentary Joint Select Committee or the public the truth.
I reported a breach of the government systems directly to Mr. Big, Mr. IT himself, on December 27, 2021, almost two years before the big ransom breach. Not even a thank you. And somehow my report to BPS of that breach cannot be found on the BPS computer system. Go figure…
Yeah bbut… you still have your original copy, right.?.!! lol..