The Panama Papers - a new kind of breach?

Posted by David Gamey on 06 Apr 2016.

In the world of data breaches, it’s not often that we see something totally new. This last week we may just have had such a thing.  Most people are familiar with easily monetized breaches such as those involving credit cards and tax information. Occasional breaches of health information and privacy are also familiar. Rarer are the some of the large breaches like the politically motivated attack linked to North Korea on Sony Pictures, the Ashley Madison shutdown extortion, and the US Intelligence disclosures by Snowden and others. Even rarer are nation state attacks like StuxNet. But the Panama Papers seem different. Breaches of Law firms aren’t unknown but  they also aren’t that notable.

In an impressive act of cooperation, the International Consortium of Investigative Journalists (ICIJ) worked this case for a year before over a hundred news organizations simultaneously released articles on this breach.

What do we know.  This may well be the largest breach ever at over 2 terabytes and 11 million documents spanning 40 years. It’s much bigger than the 2010 WikiLeaks, and the 2013 NSA disclosures.  It’s titillating because it involves powerful people, celebrities, and the super-rich. The taxation authorities in many countries are trying to get copies of these papers. Likely too will be a score of divorce lawyers. The prime minister of Iceland has resigned and there is mounting pressure on a number of current and former world leaders. Spin doctors and damage control efforts will be working overtime.

We don’t know a lot about the technical details.  A vulnerable mail server seems to have been exploited.  Likely this was used as a pivot to gain access to internal systems as keeping a trove of data like that in email would be an amazingly stupid thing to do.

We don’t know much about the person or persons who pulled this off nor do we know much about their motives.  It might be politically motivated, or an insider, or external activists, it could even be state sponsored.  It’s simply too early to tell.

The technical details of the case may emerge but they will play second fiddle to the human and political drama being played out across the globe. Like the Snowden disclosures, we will likely see follow-on revelations for many months.

The high profile and high value law firm, Mossack Fonseca, should have had world class security given their clientele and the kinds of transactions they facilitate. They’ve claimed the breach is “limited”. But it would appear that neither of these are true. It remains a question: can the firm ultimately survive this?

What can we learn from this?  Basically given the right motivation any business can be a target. And some businesses are not paying enough attention to their cyber security. And just because your business isn’t typically targeted, doesn’t mean you should assume that it won’t be. Businesses need to understand their risks so that they can take appropriate precautions.

References

The International Consortium of Investigative Journalists website https://panamapapers.icij.org/

Panama Papers: Leaks spur global investigations http://www.bbc.com/news/world-35960329

Some technical details and speculation http://www.itpro.co.uk/data-leakage/26293/panama-papers-leaked-through-server-hack-1

Law firm responds http://fortune.com/2016/04/04/panama-papers-law-firm/

China censors coverage http://www.theglobeandmail.com/report-on-business/china-limits-coverage-and-denounces-panama-papers-tax-haven-revelations/article29525079/

Iceland’s PM is first casualty http://www.cbc.ca/news/world/panama-papers-ukraine-poroskenko-offshore-assets-1.3520996

Wired covers the investigation http://www.wired.com/2016/04/reporters-pulled-off-panama-papers-biggest-leak-whistleblower-history/

List of breaches since 2005 https://www.privacyrights.org/data-breach (As of 2016-4-5 Fonseca is not yet on it)