Lessons from Mossack Fonseca

It pays to be careful


♫ Learn from my mistake
My mistake, my mistake
My mistake...

- Music, Lyrics and recorded by: Brown, Keenan, Anselmo, Windstein, Bower, recorded by: Down.

Regardless of the speculation over what, if anything, the tax avoidance and shell-company law firm Mossack Fonseca (“MF”) was up to, if there is one important lesson from the Panama Papers disclosure, it is that all of us can increase the level of protection around our client’s data and our own.

The volume of the data leak is amazing. It comprised 2.6 terabytes of data according to Forbes magazine. That makes it the largest of all time (whatsabyte.com states that 10 terabytes could hold the printed collection of the Library of Congress). By way of comparison, the Ashley Madison leak was less than a paltry 30 gigabytes (only about 8% of the MF leak).

The leaked data include 4.8 million emails, 3 million database format files, 2.2 million PDFs, 1.1 million images, and 320,000 text documents, (Computerworld.com).

According to Forbes, whomever performed the leak was much more careful. All MF’s emails, files and images were stored on encrypted drives, moved securely to the Cloud and made available to both technical and non-technical journalists while being kept under wraps. They used Veracrypt, an open-source encryption application, to protect the data.

Veracrypt, according to Wikipedia, has the ability to create a “hidden volume” where a second encrypted space is created within an already encrypted disk. It also has the ability to create and run an entire hidden operating system. One can speculate on the circumstances when such extreme protection would be warranted. But since there are lawyers who must act for clients sought by some of the most repressive regimes in the world whose very lives depend on keeping the confidentiality of the data, one can realize that there are circumstances when such protection is warranted.

How did the leak occur?

Forbes states:

“[MF’s] portal used by customers to access sensitive data was most likely run on a three-year-old version of Drupal, 7.23. That platform has at least 25 known vulnerabilities at the time of writing, two of which could have been used by a hacker to upload their own code to the server and start hoovering up data. Back in 2014, Drupal warned of a swathe of attacks on websites based on its code, telling users that anyone running anything below version 7.32 within seven hours of its release should have assumed they’d been hacked.”

To add insult to injury, apparently MF’s website states: “Your information has never been safer than with Mossack Fonseca’s secure Client Portal.”

However, Computerworld states:

“This breach is quite possibly a broader compromise of the organization,” Maples added. “Attackers may have compromised the Mossack Fonseca network and elevated privileges to that of a domain administrator or email administrator and used these elevated privileges to access and download all the data contained on the email server.”

Regardless of how the penetration occurred, the data and public relations loss is immense. But taking appropriate steps now, the rest of us can learn from their mistake and ensure that our firm’s name is not sitting on the opening page of major news sites around the world.

Related Articles