‘The Secrets of Dirty Money’ – the tagline accompanying the Panama Papers, a huge data leak containing roughly 11.5 million documents exposing how the rich and powerful use tax havens to hide their wealth.
With the shadowy world of finance providing the backdrop for this scandal, and politicians, FIFA officials, celebrities and drug smugglers the main protagonists, the impact of the data leak has sent shockwaves around the world.
The scandal begins over a year ago, when an anonymous source contacted the Süddeutsche Zeitung (SZ), offering encrypted internal documents from Panamanian law firm, Mossack Fonseca. In the following months, the data leak grew in size – so much so that the 2.6 terabytes of data surpassed the combined total of the Wikileaks Cablegate, Offshore Leaks, Lux Leaks, and Swiss Leaks.
A global team of 400 journalists from more than 100 media organizations in over 80 countries then set about analysing and researching the data – bringing us to today, where 12 current and former heads of states, among others, have been named and shamed on the front pages across the world.
The implications of this data leak are far reaching – none more so than the implications regarding tax avoidance, money laundering and sanction dodging that many high profile individuals have reportedly been involved in. However, this data breach should also provide a huge wake-up call for companies of all sizes and sectors – akin to the wake-up call Snowden provided back in 2013.
Emily Orton, Director at Darktrace, told CBR: "When Edward Snowden leaked classified information from the NSA in 2013, the compromise was called a ‘wake-up call’ to the public and privates sectors to the dangers of insider threat – particularly the threat of privileged users.
"Three years on, and we are still seeing the results of the inherent vulnerability of ever-growing, ever more complex computer networks, and the data they contain. 2.6 Terabytes of data is no trivial amount to exfiltrate.
"A lack of awareness and visibility of digital interactions and data remains responsible for major risks to companies in all sectors. This latest leak at Mossack Fonseca must again reinforce cyber security as a question of boardroom importance."
While all companies can certainly learn valuable lessons from this data leak, the legal sector should be sitting up and taking notice as their sector has been identified, as Brian Spector, CEO at MIRCAL put it, as a treasure trove or information and data.
Spector said: "As far as hackers are concerned, any legal firm represents a treasure trove of personal and financial data – but this latest attack is an absolute goldmine. Protecting your clients’ data is a fundamental part of being a lawyer, so it’s difficult to see how this firm can recover from a hack of this magnitude."
People trust their lawyers with a host of confidential information – and the key word there is confidential. There is probably only one other professional – the doctor – whereby the sanctity of confidentiality is non-negotiable. That data could be used to blackmail, send people to prison; for that data to be at the mercy of a weak security perimeter is simply not good enough – but then again, neither is the argument of technology ignorance, as Philip Lieberman, President of Lieberman Software, argues:
"Clearly we have seen in many cases of cyber-attacks, that the force majeure defense (unanticipated and impossible to protect from event (act of God)) only applies in a very tiny fraction of companies that have excellent cyber defense capabilities.
"As lawyers are gleeful to explain: ignorance of the law is no defense, but this case provides a new maxim: ignorance of competent cyber defense processes and technology is no excuse for allowing outside criminals and nation states access to your clients’ data.
"The implications of law firm breaches are mind boggling since parties within lawsuits provide full disclosure of their chosen law firms as a matter of public record. It is a simple step for a criminal to move on to attacking an appropriate law firm to harvest their files. For a criminal this could mean the ability to manipulate stocks, access the personal records of principals within the companies, and provide a way to blackmail person based on information not publicly known."
In the wake of this scandal, security experts are once again calling for the c-suite and senior leadership to better understand cybersecurity requirements, strategy and technology. Companies, legal and otherwise, must accept that no company is immune to attack, adopting a ‘when’ not ‘if’ attitude to cyber attacks. Nick Pollard, General Manager UK for Guidance Software, told CBR:
"For any organisation, it’s about not only having policies in place for data protection, but also enforcing these correctly; having a clear understanding of where data is – where it resides within the corporate network and who has access to it. For example, what do you know about those with highest privilege rights? Have the right checks been made? The risks of data leaks are there for any organisation. And the fallout from an insider breach can be particularly devastating."
Employees must be educated and monitored to protect against the insider threat, while on the client side there must be efforts made to inspect cyber warfare capabilities. As Robert Rutherford, CEO of QuoStar, told CBR: "Staff are not only the first line of defence against a hack, but can also be the biggest weakness in security if not correctly trained. Each member of staff must be encouraged and educated in how to use the most secure software no matter their personal preference.
"Additionally, every employee should be offered regular and up to date training on how to spot, block and report any suspicious activity."
We are only seeing the initial fallout from the Panama Papers – more is certain to follow with the headlines leading on the contents of the documents and the high profile clients involved in the spurious and illegal tax activities.
However, for the time being, companies can take note of this major data breach – bolster the perimeter, engage different authentication methods, educate employees and understand the strategy needed in a world where data, specifically stolen data, could sound the death knell for your business and reputation.
This article is from the CBROnline archive: some formatting and images may not be present.