The famous quote from 1997’s Titanic – “I’m on top of the world”- has come to mind recently after hearing of the “Panama Papers” leak involving Panamanian law firm Mossack Fonseca, which released information pertaining to shell companies owned by many of the world’s elite. The Titanic sank after ramming an iceberg in the Atlantic Ocean. Fast forward 104 years, and we are experiencing our own version of a well-oiled machine suddenly meeting its demise due to an unforeseen “obstacle.”
Mossack Fonseca has been at the epicenter of controversy following the release of what are now being referred to as the “Panama Papers” in early April. Touted as the largest data breach ever, the incident involved 2.6TB of information, including 4.8 million emails and 2.2 million PDF’s – a titanic amount of data (pun intended). A vulnerable version of Revolution Slider that was running on the company website seems to be the source of the breach. This vulnerability allowed attackers access to plain text credentials, enabling access to an email server. An old version of Drupal with 2 dozen known vulnerabilities running on Mossack’s client access portal is the likely entry point for the theft of the unstructured data elements of the breach (pdf files, images, text files, etc.)
Much like an iceberg, the real damage of a data breach is often done by the unseen, unanticipated…the sensitive information that does much more long term damage than a stolen credit card. All data breaches cause negative effects to the organizations they victimize, but the hyper-sensitivity of the data released in the Panama Papers makes it that much more catastrophic to Mossack Fonseca. Within the leaked documents were records of shell companies setup by Mossack Fonseca’s many “passengers” - including over 140 politicians, heads of state, ministers, elected officials, and other high net-worth individuals - as tax havens, allowing them to hide funds from governments’ view. In addition, records linking Mossack Fonseca to known spies, terrorist organizations, and criminal enterprises have also surfaced. That’s one heck of an iceberg.
Although currently still under investigation by multiple regulatory agencies, Mossack Fonseca looks to face a multitude of sanctions, fines, and customer complaints in the aftermath of such a high profile breach, not to mention the loss of revenue coming in from the now public shell companies. In terms of those customers who have been exposed by the breach, they too can expect some form of punishment in the form of heavy fines, jail time, and a forever-tarnished reputation.
Clearly it’s what lies beneath that holds the danger for both the Titanic, and Mossack Fonseca. The survival rate on the Titanic was 32%. I think the employees of Mossack Fonseca would take that now, and it’s safe to say that the clients of Mossack Fonseca sure don’t feel “on top of the world” anymore.
While it is unclear if all of the firm’s activities are above board, certainly there is an obvious lesson for all enterprises looking to protect their organizations and their clients. It is important to follow Best Practices with diligence. All reports suggest Mossack Fonseca did a poor job patching vulnerabilities, segregating networks serving public and private users, and implementing an in-depth information security strategy which could likely have protected its information. If a client of the firm conducted a third-party risk assessment and performed continuous monitoring of the firm’s internet reputation, problems might have been revealed. If enough clients performed these reviews and demanded change, the issues would be corrected, and client data much better protected.