Compliance
NEWS ANALYSIS: The "Panama Papers" - The Data Security Implications

A firm operating in the field of data security and privacy examines some of the issues around the massive leak - or theft - of account files based in Panama.
The “Panama Papers” saga, involving a leak, or theft, of a vast trove of data on accounts set up via a Panama-based law firm, has already embarrassed politicians, caused a high-profile resignation from Transparency International (the organisation exposing dirty money and ranking IFCs for good conduct), and even led to calls for certain jurisdictions linked to the UK, such as the Channel Islands, to be brought under direct control from London. Governments in the UK, Australia and New Zealand are examining evidence caused by the leak for possible leads.
This raises question marks about how far governments can or should go in using stolen data for investigations, and whether there needs to be a much clearer dividing line between legitimate privacy and client confidentiality, on one side, and illegitimate secrecy, on the other. (In recent years, for example, authorities in Germany have used data stolen from Switzerland, and paid for it with public funds.) After all, the risk of kidnap and extortion remains real enough to encourage many rich persons to take the risk of parking money in certain IFCs than tell all to the tax authorities. However, the fact that, for example, past dictators who have looted their countries have used secret accounts makes the issue particularly toxic. And any politicians in major democracies with links to offshore will be hit at the ballot box because such activity smacks of hypocrisy.
The offshore world has been through dramatic changes in recent years and now faces international regimes such as the Common Reporting Standard, more pacts over automatic exchange of information, and demands for public registers of beneficial ownership. And yet at the same time there are worries about the activities of hackers who while they might sometimes claim to have public interests at heart, may also be acting for political and criminal motives.
Against this background, MWR InfoSecurity, a firm operating in the fields of security and information protection, addresses some of the issues. The comments are from Zak Maples, a senior security consultant at the firm.
Is this the first of many such “largest data leak in
history” type stories, as organisations battle to close the
floodgates?
Whilst this breach has been given the title as the largest data
leak in history, this can be somewhat misleading. It has been
reported to be the largest due to the size of the data leaked.
However, there are numerous different ways to measure how big a
data breach is, in both tangible and intangible ways. For
example, is the largest data breach one which involves the most
number of individual people? The one with the largest amount of
data stolen? Or one in which there is the most impact? Whilst
this is uncertain, one thing that is clear is that data breaches
are becoming an all too common trend that are often causing
irreparable brand and reputational damage to the businesses
involved. This proves that businesses need to take cybersecurity
seriously as a business problem and not just an IT problem.
What does an “attack on its email server” mean - what
would the attack look like?
There has been very limited information revealed about the nature
of the attack. Although early details point to a compromise of an
e-mail server, it is MWR’s experience that further investigation
is often required to firmly establish the cause of data breaches.
Should the e-mail server have been compromised it could have
happened in multiple ways. The e-mail server could have been
exposed externally to the internet and an attacker could have
performed password guessing brute-force attacks to gain access to
individual mailboxes. Alternatively, this could be part of a
broader compromise of the organisation. Once attackers have
gained access to an organisation’s network they will often look
to elevate privileges and gain access to as many systems as
possible. Attackers may have compromised the Mossack Fonseca
network and elevated privileges to that of a domain administrator
or similar and used these elevated privileges to access and
download all the data contained on the e-mail server.
Do you think it was a lucky break or a planned attack -
and assuming either, how could the hackers find “the
gold”?
All cyber-attacks require a degree of planning but cyber
criminals typically target several organisations in order to
increase the chances of success. Issue motivated groups (or
"hacktivists") have also been known to target multiple
organisations in campaigns focusing on a central theme. In this
way, attackers increase their chances of getting "lucky".
Whilst law enforcement activity has severely curtailed the activity of Anonymous and other issue-motivated groups, this is the type of high profile attack hacktivist groups will want to accomplish. Anonymous and other issue-motivated groups have made a lot of noise about the perceived power of the 1 per cent and position themselves as a group fighting against inequality. It is likely that these hacktivist groups, if not responsible, will see the impact of this breach and take it as inspiration to target similar offshore law firms offering similar services in the future.
How would an organisation know something like this was
happening and how could they stop it before the damage was
done?
The key to organisations being able to defend against these
attacks is to ensure they have an active cybersecurity programme
that allows them to predict, prevent, detect and respond to these
attacks. All too often organisations fall into the trap of
putting too many resources into trying to prevent an attack from
happening in the first place, rather than understanding where
security spending offers the most return on investment.
For example, what is equally important is ensuring organisations have the ability to detect an attack when these preventative measures fail and can swiftly respond to the attack. Whilst there is no silver bullet in security, in this specific case it has been reported that 2.6TB of data was exfiltrated from the organisation. Detective controls that look for large spikes in data being transferred out of the organisation and other data loss prevention (DLP) controls could have helped to prevent the data being exfiltrated or being widely disseminated.
What steps could be taken to prevent the success of such
an attack in the future?
As mentioned, it is important that organisations have an active
cybersecurity programme in place that allows organisations to
predict, prevent, detect and respond to these attacks. The
priority of such a programme should be the identification
and protection of key business assets and IT assets. In the case
of Mossack Fonseca, a key business asset would be the case files
and private details of their clients. This would be mapped
to numerous key IT assets, one of which would be the e-mail
server due to the large number of e-mails containing this
sensitive data. Thus, a focus of the cybersecurity programme
should be to implement controls that protect the e-mail server,
detect when the e-mail server is under attack and allow for a
swift response to contain and recover from such an attack.