Panama Papers Breach Reveals Astonishingly Lax Network Security
NEWS ANALYSIS: While the vast quantity of information revealed in the breach of the Mossack Fonseca law firm far exceeds the volume taken by Edward Snowden, the main question is how this could happen?My first reaction after reading accounts about the breach of a vast trove of financial and related information from the Panamanian law firm Mossack Fonseca was to channel John Le Carré and his famed Panamanian tailor/spy Harry Pendel. However, the reality is much less interesting. The story is actually about a company with third-rate security that gets exploited by a routine hack. While the details of the attack on Mossack Fonseca haven't been fully revealed, and while there's a great deal of hay being made by newspapers reporting details about prominent people who have offshore financial accounts, the really important story is about what was'’t in the breach. And no, I'm not talking about the puzzling lack of involvement by Americans. What's clearly lacking is even the most basic attempt at protecting the firm's client data. The firm’s founding partner, Ramon Fonseca, has revealed in an interview with Reuters that the attack that allowed hackers to make off with something over two terabytes of sensitive scans and images along with other information was an external hack. He said that this was not an inside job. That's a surprising confession made only a couple of days after the hack was discovered and after the contents of the firm's files were published far and wide in newspapers and on Websites.
So what really happened? Security experts I've talked to tell me that Mossack Fonseca was almost certainly the victim of a spear-phishing attack, with an email that released malware that opened up access to the firm's network. That would make Fonseca's statement correct, since it doesn't appear that an insider knowingly unleashed the malware or emailed the data to co-conspirators.