The San Juan Daily Star
Investigation of PRASA cyberattack proceeds apace
By The Star Staff
After a March 13 cybersecurity incident on the platforms of the Puerto Rico Aqueduct and Sewer Authority (PRASA), the agency has continued to collaborate with the relevant authorities -- the Office of Innovation and Technology Services of the Government of Puerto Rico (PRITS by its Spanish acronym), the FBI and the federal Cybersecurity and Infrastructure Security Agency (CISA) -- with the investigation of the event, after which it was confirmed on March 25 that personal information of PRASA customers and employees was compromised.
According to Puerto Rico law, any agency that owns or keeps a database that includes personal information of citizens or residents of Puerto Rico must notify those citizens or residents of any breach of system security when the information banks whose security was breached contain all or part of their personal information file and it is not protected with cryptographic keys beyond a password. Notification must occur within three business days of or upon becoming aware of the system security breach.
According to the ongoing investigation, the nature of the personal information of citizens who could be at risk in the incident was: files containing combined name and surname or one or more of the following data: social security number, driver’s licenses, electoral card, passports or other personal identification.
“PRITS and AAA continue to conduct a rigorous forensic investigation, with the support of the FBI,” PRASA Executive President Doriel Pagán Crespo said Monday. “At present, the number of people whose personal information was exposed has not been determined with certainty.”
The official noted what the agency has done to protect the citizen’s personal information from future system breaches.
“PRASA in coordination with PRITS has taken the necessary measures to strengthen the security mechanisms in PRASA’s information systems and reduce the possibility of an incident like this happening again,” she said. “Among the measures established are the following: eliminating the storage of copies of personal information of customers and using available government platforms to validate the identity of our customers.”
Pagán Crespo also urged “all of our customers to access their accounts and change their passwords periodically not only on the PRASA platform but on all platforms that have accounts.”
She invited citizens to visit https://www.protegetusdatos.pr.gov to avoid falling victim to a cyberattack. As a precautionary measure, PRASA is in the process of contracting the credit monitoring service for its active and inactive clients, employees and former employees. The service will be free of charge for those who wish to subscribe. Employees and former employees will receive a communication by postal mail that will indicate the steps to follow to register for the service. For customers with active and inactive accounts, PRASA will detail the steps to follow to register for the service by way of the service bill, the website on https://www.acueductospr.com, the customer service offices, and through the call center at 787-620-2482, or for the audio-disabled, at 787-679-7322.