igor - Fotolia

Panama Papers stolen by hackers, says Mossack Fonseca

Breach underlines need to focus cyber security on key data, say experts, after law firm’s founder insists the company was breached by an outside hacker

After days of speculation, the legal firm at the centre of the Panama Papers leak of confidential information about rich and powerful clients has claimed that the data was stolen by outside hackers.

According to Mossack Fonseca founding partner Ramon Fonseca, the firm has broken no laws and has filed a complaint with state prosecutors about illegal data access, reports ABC News.  

The Panamanian law firm came under scrutiny after 11.5 million documents were leaked to the International Consortium of Investigative Journalists and given extensive coverage in the UK by The Guardian.

“The only crime that has been proven is the hack,” Fonseca is quoted as saying. “We rule out an inside job. This is not a leak. This is a hack.”

Despite there being no mention of a hack in the law firm’s statement in response to media coverage of the issue, a screenshot posted on Twitter by WikiLeaks indicates that Mossack Fonseca clients were told the company was investigating an “unauthorised breach” of its email server.

With an estimated 2.6TB of stolen data, the breach dwarfs previous incidents and equates to about 2.6 million printed A4 pages or 13 tons of paper, according to Paul Ducklin, senior technologist at security firm Sophos.

Given the scale of the breach, Ducklin said it is likely there was more involved than just finding a password or tricking a user into opening a booby-trapped attachment.

“Presumably, the hackers needed to get in, find their way around, figure out what data was stored where, work out how to access it, and then find a way to collect and exfiltrate it,” he wrote in a blog post.

Ducklin said that in the client announcement, Mossack Fonseca “trotted out” the usual truisms heard after a breach of this sort.

The firm promised it had taken “all necessary measures to prevent this from happening again”, saying it is taking “additional measures to further strengthen [its] systems”, and claimed to be “in the process of an in-depth investigation with experts”.

According to Ducklin, an email breach is a big deal because if an attacker manages to get hold of just one user’s password, that can be enough to get started.

Attackers can then go on to make IT requests, such as asking for password resets, and if they manage to breach the email server itself, they could end up harvesting all incoming and outgoing attachments, which in turn could help them get further into the network, he said.

Senior security consultant Zak Maples of MWR InfoSecurity said one thing that is clear from the Mossack Fonseca case is that data breaches are becoming all too common.

“Data breaches are often causing irreparable brand and reputational damage to the businesses involved,” he said. “This proves that businesses need to take cyber security seriously as a business problem and not just an IT problem.”

Although early reports point to a compromise of an email server, Maples said it is MWR’s experience that further investigation is often needed to determine the cause of data breaches.

“Should the email server have been compromised, it could have happened in multiple ways,” he said. “The email server could have been exposed externally to the internet and an attacker could have performed password-guessing brute-force attacks to gain access to individual mailboxes.

“This is less likely to have occurred in the Mossack Fonseca case as the volume of data suggests the core server was compromised rather than individual mailboxes.
“This breach is quite possibly a broader compromise of the organisation. Attackers may have compromised the Mossack Fonseca network and elevated privileges to that of a domain administrator or email administrator and used these elevated privileges to access and download all the data contained on the email server.”
According to Maples, the key to organisations being able to defend against such attacks is to ensure they have an active cyber security program that enables them to predict, prevent, detect and respond to attacks.

“All too often, organisations fall into the trap of putting too many resources into trying to prevent an attack from happening in the first place, rather than understanding where security spending offers the most return on investment,” he said.
“For example, what is equally important is ensuring organisations have the ability to detect an attack when these preventative measures fail and can swiftly respond to the attack. Although there is no silver bullet in security, in this specific case it has been reported that 2.6TB of data was exfiltrated from the organisation.

“Detective controls that look for large spikes in data being transferred out of the organisation and other data loss prevention (DLP) controls could have helped to prevent the data being exfiltrated or being widely disseminated.”

Implementing controls

If Mossack Fonseca had followed this approach, its cyber security programme would have focused on implementing controls to protect the email server, to detect when the email server was under attack and to enable a swift response to contain and recover from such an attack.

The leak should be taken as a cautionary tale for legal firms in the UK, said Charles White, founder and CEO of security firm IRM.

“They need to understand that they are seen as a rich source of salacious data and are very much at risk of the same thing happening to them,” he said. “Data security should be the chief concern of any business holding personal and financial data, especially when it is as sensational as this.

“How and why it ended up with the press is unknown for now, but the motivation seems to be a WikiLeaks or Snowden-style leak to initiate debate and deal with the perceived issues of secretive offshore accounts and hedge fund culture.

“Financial data like this normally comes to the public domain after being sold on to the black market, so it is somewhat unusual that this appears to have been done in the public interest. Panama’s human rights record may also be a deterrent for whistleblowers based inside the country, pointing to external involvement.”

Data protection should be of the utmost importance for legal firms, said Luke Brown, vice-president and general manager for Europe, Middle East, Africa, India and Latin America at Digital Guardian.

“Yet we have seen a growing number of data breaches in law firms over the last few months, and this latest case reinforces the need for ‘data aware’ security technologies in the legal sector,” he said.

According to Brown, if Mossack Fonseca had had such technologies in place, it could have prevented its most sensitive emails and files being copied, moved or deleted without approval or permission.

“Companies must learn from incidents like this and better protect their IT environment, with the ability to apply security at the data level being of the utmost importance,” he said.

Read more on Privacy and data protection