Hacker with a conscience or whistle blower?

Mossack Fonseca (MossFon) and the Panama Papers information security leak is the largest amount of data stolen from a single company in history. The story has made the German newspaper Süddeutsche Zeitung (SZ) a celebrity of investigative journalism, but don‘t mistake the extraordinary amount of work SZ and the International Consortium of Investigative Journalists put in to properly disclose the revealing information.

Was it a sophisticated hacker or was it an inside job?

The 2.6 terabytes of data that contain extraordinary details regarding the secretive business dealings of MossFon and 214,488 offshore business entities (companies, trusts, and foundations) were freely released to the media.

In his interview with Reuters Ramon Fonseca, founding partner of Mossack Fonseca, said they hadn‘t broken any laws and all of MossFon‘s operations are legal. “We rule out an inside job. This is not a leak. This is a hack.” Fonseca told Reuters.

In another interview with the Spanish news site El Español MossFon explained that the data was extracted through a breach in its email sever and they hired outside security experts to investigate. But Justin Harvey, chief security officer at Fidelis Cybersecurity, says he is skeptical that only the email server was breached. “Perhaps an email server was the way into their enterprise, but you don’t get millions of documents from just compromising that,” Harvey says. “The size of this points to it being an insider in my opinion.”

Security experts are debating the possibility of an inside whistle blower with high levels of access due to the slow extraction of the data versus the work of a black hat hacker who stumbled upon a gold mine of private information and chose to anonymously provide the German newspaper Süddeutsche Zeitung (SZ) the treasure trove of stolen data.

Both of the types of security breaches could have been deterred by the use of a higher quality ISMS, which was presumably expected by the clients of the law frim. Specifically the extensive integration and deployment of information security controls and practices such as the ISO/IEC 27001:2013 would have provided MossFon with a proven best practices model for risk management and preventative measures.

Due to the tremendous amount of data that was: digitized scans of contracts, picture IDs, and other paper documents (common for a law firm) one could argue that MossFon and its clients could have been better protected by not utilizing digital images of the written contracts and documents.

What‘s in the stolen data?

The data, dating back to 1977, included the names of over 14,000 brokers, mainly banks and other law firms, utilizing 21 offshore jurisdictions to allegedly arrange legal and illegal safe havens for some of the world‘s wealthy people. The files detail how clients of MossFon were able to launder money, dodge sanctions and avoid paying taxes in their own countries.

How did the media get their hands on the data?

The 11.5 m documents (emails, contracts, scanned documents and transcripts) were anonymously provided to the German newspaper Süddeutsche Zeitung and they intelligently shared the vast amounts of information with the International Consortium of Investigative Journalists (ICIJ).

The collaboration of 400+ journalists from more than 100 media organizations in over 80 countries makes the Panama Papers the biggest-ever international cooperation of its kind. The twelve months of work included compiling a database of the millions of documents through transforming all the raw data into machine-readable and easy to search files with optical character recognition software. The digital processing then made it possible to search the data using a search mask similar to Google for just about anything.

How could this happen to a law firm with vast amounts of resources and high profile clients?

It turns out that the front-end computer systems of MossFon are outdated and information security is a major problem due to some very basic ISMS fundamentals. The list of system security issues includes:

• The Outlook Web Access login hasn‘t been updated since 2009 and the main website is running an out of date version of WordPress, along with housing both servers on the same network. MossFon points to this as the breach point utilized by the hacker.
• The client portal is vulnerable to DROWN attack, a security exploit of the obsolete SSL v2 protocol.
• The portal runs on the Drupal open source CMS and hasn‘t been updated since August 2013 even though the infamous mass hacking Drupalgeddon in 2014 is well known.
• The Drupal version used has a minimum of 23 vulnerabilities, yet Mossack Fonseca touts the Client Information Portal as a „secure online account“ to access „corporate information anywhere and everywhere“. This is the likely vector used to access the PDFs and documents.

According to a privacy expert Christopher Soghoian, the emails exchanged at MossFon aren‘t encrypted and don‘t use the TLS security protocol expected of a law firm promoting it‘s client‘s privacy. Like pouring salt on open wounds, an April 1st, 2016 leaked email to its clients confirmed the security breach of the email servers and stated that „multiple layers of electronic security“ are in place limiting „access to files to selected individuals within our firm in order to prevent breaches.“

The WordPress security company Wordfence extensively analyzed the data breach via a well-known WordPress vulnerability allowing the hack of the emails. The more than 4.8m emails are the largest portion of the data and probably provided the most damning information about the individuals associated with MossFon and the offshore business entities used as tax havens and money laundries. Wordfence‘s analysis describes how easy it was for the hacker to access the database credentials and then the WordPress database to then discover the mail server address along with a username and password providing necessary security privileges.

SZ has stated the source wanted to remain anonymous due to the threat, “life in danger,” and communicated with SZ via encrypted chat. Because of the anonymity and the cryptic conversations and data transfers, some people believe this may be the work of a government agency with something to gain from the exposure of the common business practice, rather than an individual (hacker or whistle blower) with a conscience.

We believe the largest data heist in history could have been avoided.

The information risk management required to prevent such an event is our specialty. We have designed RM Studio to be a dynamic risk management toolkit based on the methodology of ISO/IEC 27005. Whether you have a sophisticated, mature ISMS or the very basics, RM Studio provides you with an efficient and organized system for implementing the the ISO/IEC 27001 best practice behaviors into everyday use in your organization.

Our previous article, Pirates are invading the Vikings, details a chain reaction from the first casualty from the Panama Papers security event, Iceland’s Prime Minister stepping down from his position.