Security Experts:

Industry Reactions to Panama Papers: Feedback Friday

Hackers breached the systems of Panama-based law firm Mossack Fonseca and leaked a large number of documents that appear to show how politicians, businessmen and other public figures from across the world used offshore companies to hide their income and avoid paying taxes.

A source whose identity remains unknown provided news organizations what has become known as the Panama Papers  2.6 terabytes of data, totaling 11.5 million emails, databases, images and documents taken from the systems of Mossack Fonseca.

Panama Papers

While some assumed this was an inside job, Mossack Fonseca said it was an external email hack and published a statement claiming that media reports portrayed an inaccurate view of the services it provides.

As for how the attackers gained access to the firm’s systems, WordFence believes it might have something to do with a vulnerability in the WordPress plugin Slider Revolution. Another possible culprit, as pointed out by Forbes, is a customer portal running a three-year-old version of Drupal.

Industry professionals commented on the Panama Papers, including the privacy, security and legal implications of the breach, and how such incidents can be avoided.

And the feedback begins...

Chuck Lundberg, Chair of the Professional Liability Committee of the International Association of Defense Counsel (IADC):

" 'Cyber Liability' has been a cutting-edge exposure issue for lawyers and law firms for a couple years now. Groups like the IADC and the American Bar Association have repeatedly featured this issue in their national conferences recently.

 

The Panama Papers story focuses the cyber issue on a law firm in a way few prior stories have done. A very recent article in the Times of London indicated that the law firm involved -- Mossack Fonseca -- had significant computer security failings that allowed hackers to infiltrate its systems and steal millions of documents, quoting security experts who said the firm used outdated software containing security holes and failed to encrypt its emails. One expert noted that the firm’s Outlook email system apparently hadn't been updated since 2009.

 

Any potential legal malpractice claim arising out of a law firm hack like this would focus on whether the firm was negligent in its security precautions. The standard of care that firms must meet evolves over time, but the fact that sub-standard procedures have already been identified in this case does not bode well for the firm.

 

Another issue is who could sue, and for what damage. I don't think you're going to see lawsuits claiming that the law firm's negligence damaged a client's goal of illegally evading taxes. Legal malpractice law generally does not allow claims against lawyers by clients engaged in criminal or fraudulent activity."

Mateo Meier, data privacy advocate and CEO, Artmotion:

“The newly leaked Panama papers raise the question of whether or not the public can demand both a right to privacy and a right to transparency at the same time.

[...]

In the case of the Panama papers, the private information obtained is not just that of governments or corporations, but of multiple individuals within those organisations. In this way, the Panama leak begins to blur the line between corporate transparency and individual privacy - A distinction which should not be lost in the rush to name and shame corporate fat cats failing to pay their taxes.

 

To me the need for such whistleblowing highlights a direct failure on the part of the government to take action on some of the issues most important to the general public. As a result, internal individuals have been forced to take matters into their own hands. This however is not a system that we should look to accept as a long term solution."

James Bindseil - President and CEO, Globalscape:

“What should be abundantly clear to everyone in the wake of the Panama Papers leak is that, in 2016, the quest to simply adopt a comprehensive, holistic approach to security infrastructure is fool’s gold. Few—if any—organizations have the resources to block all comers and defend all walls; and while a layered defense is always recommended, every defense has the potential to fail in some way, whether by blind spot, blind faith or lack of oversight. Security needs to be asset-driven and information-centric because the hackers’ goal is not to infect a user, it is to damage or steal information assets. Regardless of what systems were compromised or vulnerabilities exploited, Mossack Fonseca’s greatest failure was not realizing or detecting the access and wholesale theft of four decades of archives in a record setting 2.6 terabyte cache of files.

 

As such, security strategy must begin by classifying the most sensitive data assets, and focusing on access, governance and policies around data retention. Even with the most trusted insiders unlimited and unchecked access should not be allowed. Credentials can be compromised. So there must be vigilant, continuous oversight—including policy automation—to ensure that valid access remains valid, triggers when that access is suspect and revocation controls to hit pause while trust can be restored. The same checks and balances must also govern the valid transfer and sharing of those assets in the normal course of business.

 

Unless the crown jewels are themselves secured, any infrastructure controls only create a network that is simultaneously compromised and secure.”

Rajiv Gupta, CEO and founder, Skyhigh Networks:

“Political scandal, first through Edward Snowden and now through the Panama Papers hack, has followed bank robbery and espionage into the digital age. Only with online tools could a whistleblower hope to make off with 2.6 terabytes accounting for 11.5 million documents, and could journalists rely on powerful collaboration software to analyse the information. This generation’s Watergate will be conducted through shared folders and chatrooms.

 

On the business side, this data breach should be a wake-up call to all industries: Hackers are not just after social security, health insurance, and credit card numbers. Determined attackers follow ideological, political, and financial motives. Organisations need to assume all sensitive information — from private transactions to personal communication to intellectual property — is a target.

 

Organisations will need to start factoring cybersecurity capabilities into their vendor evaluation. The theft of client data draws awareness to the exposure organisations face from their business partners, especially those with access to large amounts of confidential information. Several top law firms recently suffered data breaches, a painful lesson that cybersecurity is a fundamental component of confidentiality. To an organisation a good CISO is becoming just as valuable as a good attorney or a good doctor to an individual."

Zak Maples, Senior Security Consultant, MWR InfoSecurity:

"Whilst this breach has been given the title as the largest data leak in history, this can be somewhat misleading. It has been reported to be the largest due to the size of the data leaked. However, there are numerous different ways to measure how big a data breach is, in both tangible and intangible ways. For example, is the largest data breach one which involves the most number of individual people? The one with the largest amount of data stolen? Or one in which there is the most impact? Whilst this is uncertain, one thing that is clear is that data breaches are becoming an all too common trend that are often causing irreparable brand and reputational damage to the businesses involved. This proves that businesses need to take cyber security seriously as a business problem and not just an IT problem.

 

All cyber-attacks require a degree of planning but cyber criminals typically target several organizations in order to increase the chances of success. Issue motivated groups (or ‘hacktivists’) have also been known to target multiple organizations in campaigns focusing on a central theme. In this way, attackers increase their chances of getting ‘lucky’. A similar attack was seen last week with the publishing of emails from Unaoil however there is no evidence currently that the attacks were related.

 

Whilst law enforcement activity has severely curtailed the activity of Anonymous and other issue-motivated groups, this is the type of high profile attack hacktivist groups will want to accomplish. Anonymous and other issue-motivated groups have made a lot of noise about the perceived power of the 1% and position themselves as a group fighting against inequality. It is likely that these hacktivist groups, if not responsible, will see the impact of this breach and take it as inspiration to target similar offshore-law firms offering similar services in the future."

Paul Shomo, Sr. Technical Manager, Strategic Partnerships, Guidance Software:

“Personally I think transparency is a valuable part of society self-regulating itself, yet there exists a tricky balance with the right to privacy. Many of us who produce software or services which protect sensitive data, and locate insider threats or hacktivists, have mixed feelings when leaks forward the public good. Technology has created a new world: the internet has erased portions of individual privacy, and whistleblowers and hacktivists have put incredible pressure on organizations engaging in unpopular behavior.”

Tim Edgar, academic director of law and policy at Brown University's Executive Master in Cybersecurity program:

"While it is generally good thing when corrupt practices come to light, the Panama Papers fiasco also illustrates the poor security practices – bordering on chaos – that exist at many law firms around the world. Although lawyers have a professional obligation to safeguard confidentiality, too many fail to acquaint themselves with basic information security practices, such as encryption. No one expects lawyers to be technology experts, but they do need ask the experts for their advice -- and follow it.”

Philip Lieberman, president & CEO of Lieberman Software:

“Irrespective of the data itself and its implications, we have seen a general increase in the cyber defense readiness of many law firms in the USA. Outside the USA there has been little interest by foreign law firms in investing in cyber security and for mounting competent cyber defense capabilities. The fact is of great value to many criminal and nation state activities in the exploitation of weak security within law firms. One should ask the value of confidentiality with a law firm if a hacker or nation state penetrates their perimeter and has full administrator access to all of the systems within a company. Further, how could a law firm make a client whole or even provide for their own defense if the breach was caused by their neglect, incompetence and greed?

 

Clearly we have seen in many cases of cyber-attacks, that the force majeure defense (unanticipated and impossible to protect from event (act of God)) only applies in a very tiny fraction of companies that have excellent cyber defense capabilities. As lawyers are gleeful to explain: ignorance of the law is no defense, but this case provides a new maxim: ignorance of competent cyber defense processes and technology is no excuse for allowing outside criminals and nation states access to your clients data.

 

The implications of law firm breaches are mind boggling since parties within lawsuits provide full disclosure of their chosen law firms as a matter of public record. It is a simple step for a criminal to move on to attacking an appropriate law firm to harvest their files. For a criminal this could mean the ability to manipulate stocks, access the personal records of principals within the companies, and provide a way to blackmail person based on information not publicly known.

 

In the case of foreign or illegal transactions, the files of law firms may contain account numbers, PIN codes, passwords and other elements of accounts that may be exploited by an attacker. Many clients rely on the sanctity of confidentiality to keep their business secret, avoid taxes and potential incarceration.”

Aftab Afzal, SVP & GM EMEA, NSFOCUS IB:

"As the world becomes increasingly more digital, more and more bad actors are coming online every day and, as a result, attacks like these are becoming more prolific. Whilst hackers do not discriminate, they do also target organisations. Hackitivst groups use targeted attacks and campaigns to expose organisations and their links to unsavoury practices - and this looks like a targeted attack.

 

The challenge of network security is not a small undertaking, and there is no single solution that can prevent breaches like this from reoccurring. All organisations should start with a credible risk analysis that outlines the true impact of such a breach, and identifies all possible access points. Our experience has shown that the best practice would be to create rigorous policies and awareness security programs that are backed by security tools that are based on proactive threat intelligence and protection across each layer of the network and not forgetting the crucial ingress points.”

David Gibson, VP of strategy and market development, Varonis:

"Email servers tend to be one of the largest troves of valuable information. If you were spying on a company, the CEO’s mailbox would be a pretty fantastic place to see what was going on. One of the security challenges with email is that the most valuable mailboxes tend to be the least secured. This is because executives and law-firm partners often have assistants and other people that get access to their mailboxes – some even have banks of admins that all have access for long periods of time.

 

Another security challenge with email is that mailbox activity is rarely logged or analyzed, making it very difficult to spot abuse or theft. Lastly, Microsoft Exchange has “public folders” where a lot of sensitive information can pile up, and a lot of companies don’t pay much attention to securing. If an assistant’s account gets compromised through phishing or password stealing, or if an assistant turns out to be acting maliciously, the contents of the executive’s mailbox can easily be compromised without detection."

Charles White, CEO of IRM:

“The scale of the leak has rightly raised eyebrows, but the fact it happened at all shouldn’t be surprising – I would estimate the information security procedures in offshore firms are not as tightened as those in say, the City of London.

 

The firm’s customers will likely be leaving in droves today, so this is an absolute disaster for them. This could be a fatal hit to their reputation, especially as their customers implicitly expect their activity to remain secret. We’re also likely to see further legal repercussions in the form of a class action law suit if the data was indeed stolen due to a lapse in security.

 

The leak should be taken as a cautionary tale for legal firms in the UK – they need to understand that they are seen as a rich source of salacious data and are very much at risk of the same thing happening to them. Data security should be the chief concern of any business holding personal and financial data, especially when it’s as sensational as this.”

Mike Davis, CTO, CounterTack:

“From a security standpoint it brings to the surface a very important issue for organizations that think of themselves as a small-medium business. Namely, the need to protect IP and customer information like they are in fact an enterprise organization. One high-profile client puts your network at the same risk as if you were a Fortune 50 or government agency.”

view counter
Eduard Kovacs is an international correspondent for SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.