Security Experts:

Hack of Global Law Firm Appleby Exposes Rich and Famous

'Paradise Papers' Expose Financial Moves by Global Elite

Following the huge 2016 leak of documents stolen from Panamanian firm Mossack Fonseca (aka, the Panama Papers), the expected analyses of documents stolen more recently from the Appleby law firm (aka, the Paradise Papers) has begun. The route is the same in both cases -- the German newspaper Suddeutsche Zeitung obtained the stolen documents from an anonymous source (possibly the hacker, or via a third party), and passed them to the International Consortium of Investigative Journalists (ICIJ).

The ICIJ then worked with 95 media partners to explore a total of 13.4 million documents comprising those stolen from Appleby together with other documents from the smaller family-owned trust company, Asiaciti, and from company registries in 19 secrecy jurisdictions.

Very little is known about the actual hack of Appleby. The firm released a statement over the weekend in response to a BBC Panorama program broadcast on Sunday, and other media coverage beginning to appear via ICIJ's media partners. The ICIJ says it "and its media partners will be publishing multiple stories in the coming days and weeks." These stories will disclose the efforts taken by the rich and famous to use offshore tax regulations to their best advantage -- ranging from the Queen of England and Apple (BBC report) to the rock star Bono and many, many more.

Appleby says, "We wish to reiterate that our firm was not the subject of a leak but of a serious criminal act. This was an illegal computer hack. Our systems were accessed by an intruder who deployed the tactics of a professional hacker and covered his/her tracks to the extent that a forensic investigation by a leading international Cyber & Threats team concluded that there was no definitive evidence that any data had left our systems."

The greater part of the Appleby statement is an attempt at brand damage limitation. "The journalists do not allege, nor could they, that Appleby has done anything unlawful. There is no wrongdoing. It is a patchwork quilt of unrelated allegations with a clear political agenda and movement against offshore."

That the hack and leak of documents is politically motivated is clear and obvious. This is pure hacktivism with a motivation similar to that of the Occupy Movement -- and the reality is that hacktivism is difficult to defend against.

"While the mechanics of the breach itself have yet to be revealed, this was clearly a targeted attack," comments Mark Sangster, VP and industry security strategist at eSentire. "Appleby took appropriate response steps in notifying their clients; but you can't insure [against] this. This class of events demonstrates why law firms must protect their clients' confidential information. No amount of cyber insurance, data back strategies, nor business continuity planning can ever put this genie back in the bottle."

Incident response is relatively meaningless if no incident is detected -- or not, as in this case, detected until too late.

"Financial information, particularly tax arrangements," says Andy Waterhouse, EMEA director at RSA Security, "can be as sensitive as medical information and if exposed can be the source of embarrassment and reputational damage for Appleby's clients. Even if they are not breaking any laws, it's the public perception that can be damaging. When selecting partners, these individuals expect that their data will be highly guarded to prevent such exposure. The fact that they have been exposed in this way creates a huge break in trust with Appleby and could have serious ramifications in the long term on its own reputation as a vault of secrecy."

The whole incident demonstrates why data protection regulators are increasingly specifying the need to use encryption to protect sensitive information. Since no organization can guarantee that it will never be breached, and since business continuity and cyber insurance are meaningless against the loss of this type of data, encryption is the most effective defense.

The ICIJ tells us, "The Paradise Papers documents include nearly 7 million loan agreements, financial statements, emails, trust deeds and other paperwork over nearly 50 years from inside Appleby, a prestigious offshore law firm with offices in Bermuda and beyond." There are clearly many documents that are now historical documents. These, at the very least, should have been encrypted.

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.