Panama Papers: the result of neglected IT security


The financial, legal and political world have been turned upside down by the Panama Papers. But how on earth was it possible to steal 2.6 terabytes of data from Mossack Fonseca?

It has emerged that influential politicians and captains of industry, as well as top sports people have been involved in large-scale tax dodging using offshore companies or, to give it a more diplomatic name, tax avoidance. Not an offence as such, but usually described at the same time as being ‘morally objectionable’.

But there’s another world that hardly gets a mention in all of this – the IT security world. We have still no idea of precisely how the leak came about. Mossack Fonseca (MF), the legal consultancy firm who had 2.6 terabytes (!) of data stolen from it, said that it thinks the data was stolen from a hacked email server, as well as an 'attack on the database', but it doesn’t go into further details. The firm said that it has carried out a thorough investigation.

Fortunately, IT security people around the world tend to be very helpful when such mysteries arise. Various security experts have already immersed themselves in the issue, which in the meantime has resulted in more plausible and properly substantiated theories. Which turns out to be really quite alarming. Let’s take a look at a couple of security gaffes, although I can’t be absolutely sure that the actual modus operandi involved one of these weak spots.

  1. Mossack Fonseca uses WordPress for their website. As we know, it’s important to update WordPress websites and their add-ons on a regular basis because of the leaks that very often spring up. The version it used in mid-April was updated for the last time four months ago.
  2. The WordPress server ran on the same network as the database containing all the client files.
  3. The MF website uses a leaky WordPress plug-in: Revolution Slider. This plug-in has been attacked regularly since 2014.
  4. The mail server log-in details were stored in plain text in another WordPress plug-in.
  5. There was a client portal where clients could log in. A leaky version of Drupal was used for this that contained 25 different security leaks. Drupal had not been updated since 2013.
  6. The MF mail server had not been updated since 2009 and therefore contained numerous security leaks.
  7. The hazardous SSL v2 protocol was used for the client portal. 
  8. The website was vulnerable to SQL injections.
  9. Emails weren’t encrypted.
  10. Various experts are convinced that it must have been an inside job because of the characteristics of the leak itself (large volumes of data gradually trickling out). Typically this could be an employee who doesn’t have access to all of the data at the same time, and who is only able to steal individual pieces of information over longer periods of time.

As far as the first eight theories are concerned, there have clearly been serious shortcomings regarding information and IT security. But by definition this doesn’t really apply to the last theory, although there are technologies available that can greatly reduce the occurrence of inside jobs. For example, these technologies work so that access to sensitive information is limited to the people who are working together on that same sensitive information, or they can make it impossible to make digital copies of information from the database. Of course a highly motivated data thief can always take photos of the screen, or simply use old fashioned pen and paper, although it’s unlikely they would be able to copy all of the 11.5 million documents that make up the 2.6 terabytes.

Panama Papers: the result of neglected IT security

Eddy Willems

Why is this relevant to the rest of the world?

Because this data leak is a symptom of a problem that raises its ugly head in every sector. According to information security expert Dr Daniel Dresner, poor IT and information security at legal firms is the rule rather than the exception. And don’t forget, legal firms are exactly the places where highly confidential information is processed and stored. Moreover, legal firms tend to employ people with above average levels of intelligence, who also have a higher than average knowledge of the law. Therefore they can’t hide behind the excuse that ‘we didn’t know we had to secure client information’. I can imagine that information security in other sectors is just as bad, or even worse.

As far as I am concerned, the Data Protection Directive from the European Commission that’s going to make such lax attitudes towards information security illegal, can’t come fast enough. Although I fear it won’t really take effect until the first fines running into the millions have been imposed. 

This article was originally published by Eddy Willems, in Dutch, in the Belgium online magazine