Panama Papers – The World’s Largest Data Leak

On Sunday, the International Consortium of Investigative Journalists announced the world’s largest data leak to the public. Kept secret since late 2014, the data leak from the Mossack Fonseca law firm is said to be 2000 times larger than 2010 Wikileaks Cablegate release of US State Department documents. A massive 2.7 terabytes (TB) of emails, database files, and PDFs which equals almost 40 years of documents was collected from the anonymous whistle-blower. In comparison again to Wikileaks, Cablegate was a mere 1.7 gigabytes (GB) of data.

“This is pretty much every document from this firm over a 40-year period,” ICIJ director Gerard Ryle told WIRED in a phone call, arguing that at “about 2,000 times larger than the WikiLeaks state department cables,” it’s indeed the biggest leak in history.

What are the Panama Papers?

The Panama Papers allegedly contain information on 143 politicians, their family members and friends who have been creating offshore companies as tax havens. Fallout has begun with protests in Iceland calling for the resignation of the Prime Minister whose name has been linked to an offshore company in the British Virgin Islands. The Russian government has dismissed claims of wrongdoing and describe it as a “series of fibs” created to discredit Putin ahead of elections. However several countries including the US, Mexico, and Britain have vowed to investigate the possibility of tax evasion.

Why target a law firm?

Axiom has been tweeting lately about how law firms are an attractive target for hackers and that large elite law firms in the US have recently been directly targeted by hackers. And remember our blog post a few months ago about how law firms are being targeted?

Panama Papers proves just how lucrative the data breach of a law firm can be for hackers. Think about all the data that a law firm has: health, financial, intellectual property, and business trade secrets. In the wrong hands, that data would be a virtual treasure trove of information to be sold in the Dark Web.

There are two types of companies: those who have been hacked, and those who don’t yet know they have been hacked.

Cisco CEO – John Chambers

Law firms cannot take the head in the sand approach to cybersecurity anymore. It’s time for law firms to start assessing their vulnerabilities and planning for a sound cybersecurity infrastructure.

How was the data leaked?

In late 2014, an anonymous whistle-blower contacted the German newspaper Suddeutsche Zeitung stating that they had “more data than you have ever seen” in relation to crimes that the person wanted to make public. At this time, it is not publicly known how the whistle-blower was able to send so much data undetected over such a period of time however Bastian Obermayer, the reporter for Suddeutsche Zeitung who was contacted by the whistle-blower, stated that he “learned a lot about making the safe transfer of big files”.

Obermayer indicated that he communicated through various encrypted channels with the whistle-blower who sent the data in chunks until the 2.7 TB were amassed. Suddeutsche Zeitung contacted the ICIJ and the ICIJ created a secure portal where journalists could research the data. Over 400 journalists kept the information a secret until Sunday when over 100 news outlets published the first articles about the data leak.

Earlier in the day, the Mossack Fonseca website told its customers that their email server suffered an unauthorized breach. The company denies any wrongdoing and has published a lengthy rebuttal to the media reports. A spokesperson has stated that the company may pursue legal action against the news agencies for using the information that was obtained illegally.

It appears that you have had unauthorized access to proprietary documents and information taken from our company and have presented and interpreted them out of context. We trust that you are fully aware that using information/documentation unlawfully obtained is a crime, and we will not hesitate to pursue all available criminal and civil remedies.

Carlos Sousa – Public Relations Director, Mossack Fonseca & Co. (Panama)

The one thing that has not been mentioned yet is the data protection liability suit that the 4th largest offshore law firm in the world may have coming in the near future. Target settled its data breach for $100 million… this one is going to be much larger.

Doom and gloom?

While the Cisco CEO says that there are two types of companies, ones that have been hacked and ones that know they’ve been hacked; the cybersecurity future is not completely doom and gloom for businesses. There are some basic things that businesses can do to better protect themselves.

  • Use endpoint (anti-virus and anti-malware) software on all devices and keep it up-to-date
  • Protect the business with a firewall that inspects traffic both in and out of the business
  • Get a vulnerability and penetration assessment

 

Worried about cybersecurity? Axiom Cyber Solutions can help!

Let our cybersecurity experts secure your business against today’s threats and those of tomorrow. Axiom Cyber Solutions offers vulnerability and penetration assessments, managed firewall services, and cybersecurity & disaster recovery strategic planning services.

Axiom Cyber Solutions strives to make cybersecurity affordable to small businesses that may not have a large IT budget. Starting at just $199 per month, with no long term obligation, Axiom Cyber Solutions has developed a managed cybersecurity program to give small businesses the same protection as large enterprises. We provide a fully configured enterprise class next generation firewall (NGFW) that is plug & play to the business and begins to monitor, manage, and update the firewall as soon as it comes online.

About the Author