Cybersecurity data breach leaves Access client enraged

A hotel executive and her mother were in stunned disbelief after they found out last Wednesday that sensitive personal information from a transaction with Access Financial Services (AFS) was openly accessible on the Internet.

They found out through separate phone calls from The Sunday Gleaner that their telephone numbers were among what technology experts described as a massive dump of files stolen from AFS.

The data dump, seen by The Sunday Gleaner, also included personal data for at least two dozen other AFS clients, including their names, taxpayer registration numbers (TRNs), the names of their employers and details about their respective loan transactions.

Trevor Forrest, a top technology expert, said his perusal of the data also revealed scores of email addresses along with the related passwords.

“Everything is there on the dark web. It’s not a pretty situation,” said Forrest.

Forrest, the chief executive officer of 876 Technology Solutions, indicated, too, that the data dump contains the type of information that bad actors search for on the dark web to enable identity theft and other social engineering schemes that have become prevalent in Jamaica.

Citing the common practices of linking an email account to a bank account and using one password across different accounts, he said information from one data set could be used to compromise other accounts in different, sometimes, unrelated systems.

“And in this case I am doing it with four different systems because one is your Access Financial account, the second is your Gmail account, the third one is a bank account that is with different institutions and pray tell you have a bank account at multiple institutions using the same password,” he said.

AFS, which was formed in 2000, operates 18 branches nationwide and has total loans disbursements of $15 billion, carving out a niche as one of the top lenders to the microfinance sector, according to its website.

The company acknowledged, in a public statement last Sunday, that it first became aware of a “cybersecurity incident” on February 26 this year and “immediately took steps to contain it”.

However, AFS said investigations later confirmed that “unauthorised access to sensitive areas had resulted in a data breach from the incident”.

Since then, the company said ongoing cyber-surveillance has revealed that personal data “presumably” extracted from its network was released on the dark web on March 21, 2025, along with a posted ransom.

AFS said those affected include “clients and customers”, but indicated that it was “unable to confirm the nature of all the data that has been impacted” and “is taking the necessary steps to inform stakeholders”.

However, up to Wednesday – a full month after AFS first became aware of the cybersecurity breach – the hotel executive and her mother said they had no clue that their names, dates of birth, home addresses, telephone numbers and TRNs were openly accessible on the dark web.

Both women, who reside in central Jamaica and did not want their names published, confirmed that the personal data seen by The Sunday Gleaner were accurate. They also acknowledged conducting a loan transaction with AFS.

The hotel executive declined to comment, but her mother was livid, insisting that she was never notified by AFS about the cybersecurity incident or that sensitive personal data about her was involved.

“The word I will use is that I am enraged because it is supposed to be private information and I am such a private person that I don’t even use Facebook,” she fumed, making reference to the social media platform. The Sunday Gleaner understands that, subsequent to the interview on Wednesday, her daughter communicated with AFS about the matter.

For one cybersecurity expert, who has also reviewed the exposed AFS database, the breadth of information released on the dark web suggests that “a large volume of data was stolen”.

“This means that it was stolen over an extended period such as a few days or weeks,” said the expert, who asked not to be named.

Responding on Friday to questions submitted by The Sunday Gleaner, AFS said it was aware that sensitive information from the data breach remains on the web and indicated that it was “actively” working with its cybersecurity consultant to remedy the situation.

“While it may not be possible to completely remove the exposed data, we have advised all affected individuals to stay vigilant, monitor their personal accounts and financial statements for any unusual activity and take the necessary steps to secure their data,” AFS said.

The company also said, in its communication on Friday, that all affected individuals had been formally notified of the breach via email and text message.

The company also pushed back on claims that its internal systems were not implemented with the proper security considerations.

Forrest, who made the claim, went further, charging that the AFS data he saw was not appropriately encrypted and was instead being stored in clear text, which is unencrypted information that is easily readable and understandable by anyone who accesses it.

“There is no way, for a financial institution, that I should be able to get that level of details about customers’ accounts because there are certain fundamental details that should have been encrypted,” he said during an interview last Thursday.

“So, let’s say I got access to the database as a hacker, for example, there are some things I should not see. If the person’s email was encrypted in the database, the hacker wouldn’t be able to see it,” he said.

AFS, however, denied the assertion, disclosing that all its network drives have encryption which “has been and remains a standard feature of our security protocols”.

Further, the company said it also implemented a comprehensive range of other security measures to protect customer data, which included network monitors, firewalls, endpoint detection and response, patch management systems and vulnerability detection.

These measures, AFS said, are buttressed by the retention of a cybersecurity consultant who immediately mobilised when the breach occurred.

“It was these monitoring systems and cybersecurity protocols that allowed us to detect the breach as soon as it occurred and to notify the market immediately before the personal data were leaked on the internet.”

AFS said that, since the incident, it has reinforced its security practices and is working with cybersecurity consultants to identify and address any vulnerabilities.

The company said enhanced monitoring measures have also been put in place to detect and prevent future unauthorised access.

“We remain fully committed to ensuring the ongoing security of our customers’ personal data and are taking all necessary steps to ensure this issue is fully resolved,” it said.

Last week, after The Sunday Gleaner sought comment from the communications team at the Office of the Information Commissioner, the newspaper was informed that its enquiries about the incident were escalated to Information Commissioner Celia Barclay. However, up to yesterday, a response had not yet been received.

livern.barrett@gleanerjm.com