The 2.6 terabytes of information that were leaked detailed the way in which the world’s rich are able to exploit secretive offshore tax methods. The data provided to the German publication comprised of 4.8 million emails, 3 million database files, 2.1 million PDFs, 1.1 million images, 320,166 text files and 2,242 files written in other formats. This information is the basis of the Panama Papers, from which a full list of companies and people who profited from offshore tax regimes is due to be published in May 2016.
How Was The Information Leaked?
As yet, it is not clear how or who hacked into Mossack Fonseca’s systems in order to obtain the confidential information. However, it is known that a person identifying themselves as ‘John Doe’ contacted ‘Suddeutsche Zeitung’ and offered them the information. It was then drip-fed to the paper over the space of a year. Some experts believe the quantity of data at the slow speed of retrieval suggests that it was the work of an insider who had the privileges to access the data, but not the opportunity to copy much of it at any one time. Others disagree with this theory due to the appalling security flaws that are present in Mossack Fonseca’s system which would have been a target to external hackers.
Since the attack, Mossack Fonseca’s systems have been under scrutiny by cybersecurity researchers all over the world. Unfortunately the firm displays an appalling disregard for current security measures. Some of the flaws include:
The Outlook Web Access platform which runs the webmail service had not been updated with security fixes since 2009. This means that it would have been easy to hack into. Emails sent by the firm were not encrypted with the TLS (Transport Layer Security) handshake authentication method, they were simply transferred using raw data. According to a leaked message to customers, Mossack Fonseca’s email servers were subject to an unauthorised breach from an attack which was thought to be launched from overseas.
Client Login Portal
Mossack Fonseca’s ‘Client Information Portal’ was also key to the Panama Papers leak. The company promoted this portal to their customers as a ‘secure online account’ which could be used to access ‘corporate information anywhere and everywhere’. Mossack Fonseca’s clients trusted the security of this platform so they would have been shocked to learn that the portal had not been updated with security patches since August 2013. The portal is built using the Drupal open source CMS, but the old version in use by the Panamanian firm had at least 25 vulnerabilities including a high risk SQL injection weakness which would have allowed anyone to execute arbitrary commands from a remote location.
Yet another oversight from the IT team at Mossack Fonseca was the fact that the servers and website were not configured using best practices. In fact hackers would have been able to access the back door of the law firm’s systems simply by guessing the correct URL structure. Furthermore the corporate site which was built using WordPress was using a 3 month old version which also left the firm exposed.
The leaked Panama Papers should be a great wake-up call to law firms all over the globe. Legal companies deal with highly confidential details so are bound to be a prime target for hackers who want to gain some insider information. Therefore it is vital that law firms have extensive and current security measures in place to protect themselves and their clients from ruin. The government sets fines of £500,000 for companies who suffer lost data or a breach in confidentiality. As a bottom line, all systems and platforms must be kept updated with the regular security fixes and patches that are provided. It is also vital that email messages are sent using the TLS encryption. This ensures that no third party can intercept or tamper with any of the firm’s email messages.
Having an ongoing security strategy with rigid practices and roadmaps for your business is essential if you want to avoid your own Panama Papers style of crisis. As IT security specialists for the legal sector, we are able to ensure full compliancy of regulations set by the Attorney General, the Information Commissioners Office and the Bar Council. Want to know more? Get in touch today.