The names of Amitabh Bachchan, Aishwarya Rai Bachchan and a few other Indians coming up in the news suddenly, Iceland’s Prime Minister Sigmundur Davíð Gunnlaugsson taking temporary leave from office, etc. all are linked with Panama based law-firm Mossack Fonseca. This sudden upcoming of names from across the world is a result of so-called breach of “Panama Papers”, a set of more than 11 million documents leaked from the said firm. News articles related to the incident have been doing rounds in newspapers and social media since last 4-5 days. It it still unknown that who is the person behind this and how he/she managed to get hold of documents. The leaked documents are emails, PDFs, photos and excerpts of the firm’s internal database covering a period from 1970 to 2016. In total, 2.6 TBs of data has been stolen from the firm.
This amount of data could not have been ex-filtrated in a short amount of time and one can wonder how the firm failed to spot the data going out. Maybe this astonishment is misplaced, as bit by bit details of firm’s poor security practice are coming out.
What is the firm saying?
In a notification sent to its customers, Mossack Fonseca said that hack happened on their email server. But surely that is only a small part of the truth, because who keeps this much amount of data, that too very old on an email server?
In an interview with Reuters, firm’s Founding Partner Ramon Fonseca said that the hack was not a inside job. They have a theory about how it happened and they are investigating it. He also added that the firm has made relevant complaints to the Attorney General’s office and a government institution is studying the issue. Also, the firm has hired expert consultants to fix the security of their systems and to prevent such an incident from happening again.
What are security experts saying about Panama Papers?
It seems that the firm did an extremely poor job at securing the documents in the first place and this is something its customers are unlikely to forget. Apparently, there are many areas where the hacker could have exploited.
Forbes has reported that the firm’s website ran a 3-month old version of WordPress and its customer portal most likely ran a 3-year old version of Drupal. That’s a lot of unfixed vulnerabilities that would have been easily exploited.
WP Tavern’s Sarah Gooding said that the firm ran its unencrypted emails through an outdated 2009 version of Microsoft’s Outlook Web Access. Outdated open-source software running the front-end of the firm’s websites is also suspected to have provided a vector for the compromise. She further added that the firm’s main is site is loading a number of outdated scripts and plugins.
Also, it’s been in the news that the hacker offered the ex-filtrated documents to a Süddeutsche Zeitung (SZ) journalist back in January 2015 and the firm noticed that they have been breached only now. Security, clearly has not been the firm’s priority.
According to Dr Daniel Dresner, a lecturer in cyber security at Manchester University, that’s not such a surprise as it should be. He told Wired that law firms often have a lax approach to security. He added,”There is always a feeling in the legal fraternity that whatever happens they’ll be able to get off the wrap because they’re clever legal people. People are now starting to realize that legal companies are a great target. When you think about the size of stuff that they’re negotiating, who they’re negotiating for and the number of different parties involved, the motivation is there for people who want a bit of insider information”
— The Cyber Blog India (@incyberblog) April 12, 2016
Considering the previous major leaks: Wikileaks Cablegate at 1.7 GB, Ashley Madison at 30 GB, and Sony Pictures at 230 GB, the Panama Papers breach of 2.6 TBs of data, the largest of all time, is certainly an eyebrow-raiser.