igor - Fotolia

Panama Papers stolen by hackers, says Mossack Fonseca

Breach underlines need to focus cyber security on key data, say experts, after law firm’s founder insists the company was breached by an outside hacker

After days of speculation, the legal firm at the centre of the Panama Papers leak of confidential information about rich and powerful clients has claimed that the data was stolen by outside hackers.

According to Mossack Fonseca founding partner Ramon Fonseca, the firm has broken no laws and has filed a complaint with state prosecutors about illegal data access, reports ABC News.  

The Panamanian law firm came under scrutiny after 11.5 million documents were leaked to the International Consortium of Investigative Journalists and given extensive coverage in the UK by The Guardian.

“The only crime that has been proven is the hack,” Fonseca is quoted as saying. “We rule out an inside job. This is not a leak. This is a hack.”

Despite there being no mention of a hack in the law firm’s statement in response to media coverage of the issue, a screenshot posted on Twitter by WikiLeaks indicates that Mossack Fonseca clients were told the company was investigating an “unauthorised breach” of its email server.

With an estimated 2.6TB of stolen data, the breach dwarfs previous incidents and equates to about 2.6 million printed A4 pages or 13 tons of paper, according to Paul Ducklin, senior technologist at security firm Sophos.

Given the scale of the breach, Ducklin said it is likely there was more involved than just finding a password or tricking a user into opening a booby-trapped attachment.

“Presumably, the hackers needed to get in, find their way around, figure out what data was stored where, work out how to access it, and then find a way to collect and exfiltrate it,” he wrote in a blog post.

Ducklin said that in the client announcement, Mossack Fonseca “trotted out” the usual truisms heard after a breach of this sort.

The firm promised it had taken “all necessary measures to prevent this from happening again”, saying it is taking “additional measures to further strengthen [its] systems”, and claimed to be “in the process of an in-depth investigation with experts”.

According to Ducklin, an email breach is a big deal because if an attacker manages to get hold of just one user’s password, that can be enough to get started.

Attackers can then go on to make IT requests, such as asking for password resets, and if they manage to breach the email server itself, they could end up harvesting all incoming and outgoing attachments, which in turn could help them get further into the network, he said.

Senior security consultant Zak Maples of MWR InfoSecurity said one thing that is clear from the Mossack Fonseca case is that data breaches are becoming all too common.

“Data breaches are often causing irreparable brand and reputational damage to the businesses involved,” he said. “This proves that businesses need to take cyber security seriously as a business problem and not just an IT problem.”

Although early reports point to a compromise of an email server, Maples said it is MWR’s experience that further investigation is often needed to determine the cause of data breaches.

“Should the email server have been compromised, it could have happened in multiple ways,” he said. “The email server could have been exposed externally to the internet and an attacker could have performed password-guessing brute-force attacks to gain access to individual mailboxes.

“This is less likely to have occurred in the Mossack Fonseca case as the volume of data suggests the core server was compromised rather than individual mailboxes.
 
“This breach is quite possibly a broader compromise of the organisation. Attackers may have compromised the Mossack Fonseca network and elevated privileges to that of a domain administrator or email administrator and used these elevated privileges to access and download all the data contained on the email server.”
 
According to Maples, the key to organisations being able to defend against such attacks is to ensure they have an active cyber security program that enables them to predict, prevent, detect and respond to attacks.

“All too often, organisations fall into the trap of putting too many resources into trying to prevent an attack from happening in the first place, rather than understanding where security spending offers the most return on investment,” he said.
 
“For example, what is equally important is ensuring organisations have the ability to detect an attack when these preventative measures fail and can swiftly respond to the attack. Although there is no silver bullet in security, in this specific case it has been reported that 2.6TB of data was exfiltrated from the organisation.

“Detective controls that look for large spikes in data being transferred out of the organisation and other data loss prevention (DLP) controls could have helped to prevent the data being exfiltrated or being widely disseminated.”

Implementing controls

If Mossack Fonseca had followed this approach, its cyber security programme would have focused on implementing controls to protect the email server, to detect when the email server was under attack and to enable a swift response to contain and recover from such an attack.

The leak should be taken as a cautionary tale for legal firms in the UK, said Charles White, founder and CEO of security firm IRM.

“They need to understand that they are seen as a rich source of salacious data and are very much at risk of the same thing happening to them,” he said. “Data security should be the chief concern of any business holding personal and financial data, especially when it is as sensational as this.

“How and why it ended up with the press is unknown for now, but the motivation seems to be a WikiLeaks or Snowden-style leak to initiate debate and deal with the perceived issues of secretive offshore accounts and hedge fund culture.

“Financial data like this normally comes to the public domain after being sold on to the black market, so it is somewhat unusual that this appears to have been done in the public interest. Panama’s human rights record may also be a deterrent for whistleblowers based inside the country, pointing to external involvement.”

Data protection should be of the utmost importance for legal firms, said Luke Brown, vice-president and general manager for Europe, Middle East, Africa, India and Latin America at Digital Guardian.

“Yet we have seen a growing number of data breaches in law firms over the last few months, and this latest case reinforces the need for ‘data aware’ security technologies in the legal sector,” he said.

According to Brown, if Mossack Fonseca had had such technologies in place, it could have prevented its most sensitive emails and files being copied, moved or deleted without approval or permission.

“Companies must learn from incidents like this and better protect their IT environment, with the ability to apply security at the data level being of the utmost importance,” he said.

CW+

Features

Enjoy the benefits of CW+ membership, learn more and join.

Read more on Privacy and data protection

Join the conversation

2 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

With the high profile news coverage that data breaches have received, it is clearly time for companies to realize that today’s security posture has to include a deterrent to both external and insider threats where an attacker is looking throughout the environment for valuable data.

Organizations need to stop thinking that they can prevent all forms of attack and take a different approach. Deception-based technology that detects threats inside the network is available today and could have been used to reveal the presence of an attacker during their reconnaissance or lateral movement, providing an alert well before any data loss could occur.

Clearly, stop what you can outside the network, but also make sure you have the visibility to detect and promptly stop an attack that has gotten in.
Cancel
Well, this so-called leak should be a cautionary tale for the "one percent" who think it is their right to hide their wealth from the governing jurisdictions where they reside as residents or citizens. Whether Mossack Fonesca itself was involved in questionable transactions is a matter for investigation. Given the sheer volume of data that was "leaked" it is clear that Mossack Fonesca had no idea what what happening. This news should send all their current clients running out the door looking for another law firm to setup their questionable off-shore tax shelters.
Cancel

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close