When it comes to challenges, controversy, hurdles, scandals and consumer complaints, there was no shortage at the country’s sole water and light company GEBE in 2022.  

From its March 17, ransomware attack, which led to its abrupt physical closure for two months and almost three weeks, a lengthy blackout of information, billing issues, changes in management, the scrapping of senior relief, a slew of customer complaints and dwindling finances, GEBE has managed to dominate headlines fairly consistently throughout the year. As it is the country’s sole water and electricity provider, issues with GEBE impact and touch just about every household and business entity in the country. It is for these reasons that GEBE has emerged as The Daily Herald’s Story of the Year for 2022.

The issues surrounding the fight by several families and professionals in the area of mental health and the many issues plaguing the snail’s-pace rebuilding of Princess Juliana International Airport (PJIA) were amongst the other contenders for Story of the Year.

  While there had been scandals and issues with management earlier in the year, the challenges with GEBE were compounded on March 17 when the company was hit by a BlackByte ransomware attack, which “interrupted” GEBE’s systems and forced the closure of its offices until further notice. At the time, the government-owned company urged the public not to open any GEBE emails or attachments.

  BlackByte is said to be a ransomware-as-a-service (RaaS) operation that leases out its ransomware infrastructure to others in return for a percentage of the ransom proceeds. It emerged in July 2021 when it began exploiting software vulnerabilities to target corporate victims worldwide, it was stated on website techcrunch.com.

In the weeks following the attack, not much information was provided to consumers. Minister of Public Housing, Spatial Planning, Environment and Infrastructure VROMI Egbert Doran said on Wednesday, March 23, that he would rather not comment as it was an “ongoing situation.”

The incident did somewhat spur government into action, as Prime Minister Silveria Jacobs said government had assessed its own systems after the GEBE hit.

GEBE said in late March that it had been in an active investigation and incident response phase related to the attack and urged its online banking customers to pay their bills online and those who had not received a bill to make a payment of their estimated monthly amount. Then-Interim Manager Merrill Temmer said the company’s electrical and water distribution networks had not been impacted, hence the community would continue to be served.

The “blackout” of information continued, and on May 4, Doran, in response to questions during the live Council of Ministers press briefing, said that, based on information he had received, no ransom had been paid and as the hack was still live and direct, sensitive information could not be divulged. No “concrete date” was provided for the reopening of the utilities company at that time. Asked about reports indicating that the ransom amount that had been requested was between US $1 and $2 million, Doran said at the time: “With respect to the amount in the ransom, it’s varied and I don’t have the specific one right now because it keeps changing and I think that was brought out in the reports as well, but not any official report so to speak.”

Reopening

On Wednesday, April 6, Jacobs said GEBE had been advised during a meeting between the company and ministers to reopen its doors as soon as possible. GEBE had announced in April that it was in the “final planning stage” of reopening, but stopped short of specifying when it planned to reopen.

Finally, on May 29, GEBE officials announced that the company would reopen to physically accept payments as of Monday, June 6, and while consumers were to have been issued three bills at the same time, payment arrangements would be possible, there would be no disconnections until further notice and no late fees would be applied. It was later mentioned that disconnections and late fees would resume in September. Consumers objected and the latter was not implemented.

The reopening sort of “fell flat”, as the large influx of customers that were expected to go and pay did not show up. Customers who wanted to pay trickled in and payment was slow. This was compounded by the fact that the reopening was marred by clients receiving excessively exorbitant bills. The rush was from customers who wanted to query their hefty bills.

Complaints of incorrect bills and issues with the reconciliation of bills continued for some time, with GEBE indicating on several occasions that it had been working arduously to resolve these issues. Complaints included some accounts being invoiced only for electricity, some only for water and some receiving no invoice at all or receiving bills that were not accurate.

  Some customers who visited Customer Service to obtain their bills were told there were none, in some cases, dating back six months to the present. The complaints were many. To date, some clients still have billing complaints. 

On October 14, Jacobs updated Parliament indicating that the company’s customer care had handled more than 1,000 “move ins” and 635 “move outs”, and that GEBE had responded to 12,500 customers by mail and to 3,000 in person. This resulted in consumers querying how many of these cases were actually resolved.

As it relates to the promised payment arrangements, clients who went to make use of such in the initial weeks following the reopening were told that this was not possible. This was later reversed under new management. 

Resignations, suspension, inactive duty

While the company battled to recover from the attack, there several issues were brewing at the company’s helm. The Council of Ministers had requested that GEBE’s Supervisory Board of Directors assign a crisis management team at GEBE as soon as possible. Then-Temporary Manager Daniel responded in a radio interview, saying that the company already had such a team.

There had been a string of resignations from the Supervisory Board of Directors (SBOD) in late August and early September. Those who resigned included Anastacio Baker (former Chairman), Lela Simmonds, then-Vice-Chairman Dimar Labega and then-board-member Vanessa Fraser.

In mid-September, temporary manager Sharine Daniel was placed on inactive duty and Chief Operations Officer (COO) Merrill Temmer was suspended. Troy Washington was later appointed as temporary manager as the investigation into the hack began. The Integrity Chamber later announced that it had decided to initiate an investigation into the utilities company. The investigation came on the Integrity Chamber’s own initiative and was based on various news reports concerning the country’s sole utilities provider.

Finances

GEBE’s finances suffered tremendously in the months following the hack. On June 12, Doran told MPs that as of June 1, GEBE had in excess of NAf. 50 million in its various bank accounts. He said GEBE’s cash flow had plummeted due to no billing since March 17, and incoming payments had declined, but GEBE had a cash reserve on hand which could be used to buffer the financial situation. In March and April, incoming payments from customers were fairly significant on invoices received in February and March, and old past due invoices were being settled. However, incoming payments as of May had tapered off significantly, resulting in GEBE having to postpone payments to vendors and postpone certain CAPEX and maintenance projects. 

He said also that no in-depth audits had been conducted on GEBE’s information technology (IT) infrastructure network. The audits would have to be outsourced.

On August 24, GEBE sounded the alarm indicating in a press statement that it could no longer finance the electricity and water usage of the country from its reserves and urged clients to uphold their responsibility by settling their bills. The company also released its billing and collection policy, and specified which category of clients would be eligible for disconnections as of September 1 and which categories would not face disconnections at that time. Persons who received bills and made no payments risked being disconnected. This entire plan was subsequently scrapped after the appointment of Washington at the company’s helm.

Then-temporary-Manager Daniel called the company’s financial situation critical during an interview with Lady Grace on the Breakfast Lounge on PJD2 on September 1. Daniel said that the company had actually produced more kilowatt-hours of electricity from March to July of this year than it had done for the corresponding period last year. GEBE produced more than 132 million kilowatt-hours in electricity from March to July 2021 and 139 million kilowatt hours of electricity from March to July of this year, so it had been producing and distributing, but collections were not up to par.

She said that before the ransomware attack, GEBE normally collected “550 a day in cash [it could not be ascertained whether the ‘550’ referred to means 550,000 and whether it is dollars or guilders]. Since March 17, we barely collect even two [the amount being referred to could not be ascertained] a week, sometimes it’s $30,000 a day. Sometimes it’s $20,000 a day, which barely makes 200-and-something thousand a week.”

By October 14, Jacobs revealed to Parliament that GEBE’s cash liquidity was down from NAf. 50 million in June to NAf. 29 million as of September 30. This was indeed critical, as GEBE tries to maintain a NAf. 30 million reserve balance for unforeseen events.

In an effort to increase its collection efforts, GEBE announced on October 27 that clients with pre-hack pay plans should make their payments current by October 31 to avoid being disconnected. On October 30, GEBE said a “remarkably low” number of clients who had received their correct bills were compliant when it came to payment. It said only 50% of its clientele who had received their correct bills were compliant with payment and it urged its customers to remain current with their bills.

On November 27, GEBE also announced that business clients with past due bills should pay within two days.

On December 14, Jacobs told Parliament that GEBE was working out a “bare bones” budget to reflect its current reality. Closer to the end of the year, payments from consumers were improving and GEBE was able to do better as it relates to its obligations with its suppliers.

Lost, not lost

The lack of communication from the company during the initial stages of the attack fuelled mistrust amongst consumers. When information was revealed, it was in some instances unclear and in most cases not thorough.

While the company had initially maintained that certain information had not been compromised, it was only in September that it was revealed by Daniel that GEBE had lost “a year gap” of data in the ransomware attack. Daniel said the attack had encrypted the company’s system and resulted in the data loss.

Further, on October 14, Jacobs told Parliament that information related to the payroll file of utilities company GEBE was the only encrypted data recovered and that two payments were also made for a “fast data recovery.” She said two payments for a total of just over US $5,000 had been made for fast data recovery as a result thereof. This contradicted earlier statements that nothing had been paid.

Scare 

The company and consumers had a scare on December 5, when reports were circulating that GEBE’s system had been hit by another ransomware attack. The company quickly dismissed the reports, noting that it had temporarily taken its critical systems and its entire information technology network offline after two computer devices on its IT network appeared suspicious. There was no data breach and no risks had been detected, GEBE assured.

As the curtains close on the year 2022, it is hoped that the new year brings new prospects for the country’s sole utilities provider and that it manages to climb out of the rut caused by its ransomware attack. 

Bron: Daily Herald