When perusing the news about various fails in cybersecurity, both recent and past, the consequences are typically not positive. In fact, industry figures over the past year indicate cryptoming is up, along with those pesky infected phishing emails. Not only do these fails generate massive losses for companies—a sum Ponemon now places at about $5 million for each attack—but they can lead to productivity loss, downtime, and a massive break in trust for customers and end-users. And most of the time, these victims are just good guys and gals looking to earn a living in a tough and competitive capitalist environment.
But on some rare occasions, a fail in cybersecurity actually comes through with a dose of poetic justice by exposing the nefarious workings of high-level criminals whose privilege and celebrity allows them to break all sorts of rules, financial and otherwise, that should apply to all. You know the ones—politicians, government leaders, corporate giants, drug smugglers, professional athletes, famous figures—who use their power to keep secrets of dirty money hidden from the world. While these highly profitable individuals and businesses often appear untouchable, it is their lack of digital prowess in the security department that ends up exposing their misdeeds, and in the case of Panama Papers, leaking actual documentations that forced them into accountability—to both the world and themselves.
What are the Panama Papers?
The Panama Papers, which were first leaked in 2015, are one of the greatest collections of leaked data in history, dwarfing even the infamous Edward Snowden. They exposed a shady financial world that, up until then, had only existed in shadow—and it all went down not through an official FBI probe or an international securities investigation, but because of some super-shoddy cybersecurity habits.
In a nutshell, the Panama Papers are damaging documents which were stolen from Mossack Fonseca, a Panama-based law firms that offered rich clients “comprehensive legal and trust services” and then leaked to the public. With jurisdiction in places like Belize, Cyprus, Hong Kong, Malta, Bahamas, and the Seychelles, the firm was the ideal partner for shady tax shelters and channels for criminals activities like arms sales and human trafficking. The leaked Papers were comprised of email chains, invoices, and documents, all of which arrived in encrypted form to the office of Süddeutsche Zeitung (SZ), one of the largest daily newspapers in Germany. The 2.6 terabytes of incriminating information arrived from an anonymous source who didn’t want money or notoriety—just some attention paid to hidden crimes of the rich and famous.
What did the Panama Papers expose?
From Fifia officials to fraudsters, the leaked data gave rare insight in how a global industry led by banks and legal firms, like Mossack Fonseca, secretly managed the estates of the world’s most powerful people. When the 11.5 million leaked documents were shared, they exposed sensitive information around attorney-client privilege of more than 214,488 offshore entities, all of which had been handled by the corporate service provider, Mossack Fonseca. Somehow an anonymous whistleblower with significant hacking abilities accessed the elite firm’s database and scurried off with their dirty digital laundry, which was then turned over to the German press.
The dirty documents contained the personal financials of certain wealthy individuals and public officials who had been engaging in offshore business practices of the not-so-legal kind. Some stunning names included several heads of state in Argentina, Ukraine, and Saudi Arabia, as well as Icelandic Prime Minister Sigmundur Davíð Gunnlaugsson, who left office in wake of the Panama Papers fallout. Other government officials in France, Australia, Brazil, Israel, Italy, North Korea, Spain, the U.S., and the U.K. (including Prime Minister David Cameron), were also implicated in unethical financial behavior. With the intent to commit fraud and tax evasion, while skirting any international sanctions that rained on their illegal parades, these parties were the victims of one seriously crafty hack. But in this case, the cyber attack was not done with the intent to profit or spread maleficence—but instead, to reveal the truth.
How did poor cybersecurity affect the leak?
Some would say an astonishing lack of basic web security practices are what created the Panama Papers in the first place. If Mossack Fonseca and their web administrators had been more adept at covering their digital tracks and protecting their data, it’s likely many of the exposed fat cats would still be licking their paws in satisfaction. After the fact, security experts dug into the methods of the hack and came to the conclusion that this type of data breach could have easily been avoided with basic security measures.
The elite firm was using WordPress and Drupal—both of which were over two years out of date— to manage their content and power their public websites, while using a client portal to share sensitive documents between the firm and their clients. All of these platforms are written in PHP and are open source, which means their code is free and easily accessible to the outside world, developed and maintained by the community, often known as “the core.” Sure, these systems can be secure when handled properly, but in the case of Mossack Fonseca, they were the main reason attackers were able to infiltrate their system and steal damaging documents. Their platforms were not updated, and the firm did not patch their software as recommended by the core.
Plugins and Modules
Aside from just using outdated versions of WordPress, they were also employing the Revolution Slider plugin which posed a well-known vulnerability when not updated. And because the firm’s email server was hosted on the same server as their website, their communications were likely compromised through the Revolution Slider security hole. In this case, the plugin was not sold through WordPress but was instead solder and downloaded right from the company website as well as the software vendor, Code Canyon. Buying code this way puts the onus of responsibility on the user, who must effectively analyze how well the plugin is maintained and updated for security.
Mossack Fonseca hosted their email and the web services on the same server, which is really a no no in the cybersecurity world. By decentralizing where data lives, users mitigate risk to any one system because they are not connected. Emails held on a separate server create challenges for hackers, even if the site itself is compromised.
So, when people roll their eyes at cybersecurity or write it off as optional, they miss the larger lesson to be learned—a lesson Mossack Fonseca and their many wealthy clients learned the hard (and deeply embarrassing) way. The largest data breach in history, known as the Panama Papers, was the direct result of digital negligence and the larger attitude that security doesn’t apply to everyone. But in an ironic twist, the privileged few who once believed the law did not apply to them, now realize the need for good cybersecurity applies to everyone, especially those with the most to hide.