Massive Law Firm Hack Reveals Rich Hiding Money

Hackers allegedly stole more than 11.5 million documents from the Panamanian law firm of Mossack Fonseca, detailing the workings of offshore accounts for many politicians and the rich, and delivered the information to journalists.

Download the authoritative guide: The Ultimate Guide to IT Security Vendors

law firm hack

The alleged hack of Mossack Fonseca, a Panamanian law firm, has resulted in the leak of more than 11.5 million documents that detail the workings of offshore accounts held by many politicians and wealthy citizens.

The leak happened a year ago, when an unknown source contacted the Süddeutsche Zeitung (SZ), a German newspaper. The newspaper collaborated with about 400 other journalists from other publications to sift through the 2.6 terabytes of material and verify the information. The media outlets released the information—dubbed the "Panama Papers"—on April 3, shedding light on the companies set up by hundreds of "important politicians, international criminals, and well-known professional athletes" to hide money.

"[T]he new Panama Papers trove shows the role of often-overlooked lawyers and incorporation agents in the process [of] moving, hiding and laundering money for the wealthy," wrote journalists from—one of the many media outlets that partnered with SZ on the project. "The results of the yearlong investigation encompass 214,488 corporate entities—among them companies, trusts, and foundations—controlled by everyone from heads of state, politicians, Forbes-listed billionaires, to drug lords, businesses blacklisted by the US government, scammers, and FIFA officials."

The massive leak underscores the lucrative nature of offshore companies that are incorporated in jurisdictions that allow extensive secrecy. The Tax Justice Network estimated that, as of 2010, some $21 trillion to $32 trillion have been sequestered in tax havens. "We believe this range to be conservative," the group said in 2012, pointing to the variety of yachts, land and other assets owned by such companies. "Remember: this is just financial wealth."

The leak also underscores that law firms' lack of focus on cyber-security has put them in legal jeopardy and exposed their clients to business loss and risk. For more than half a decade, security experts have been warning law firms that they are a logical target of hackers and nation-state adversaries. In 2009, the FBI warned law firms of a notable increase in efforts to break into their systems, according to the Associated Press. Last year, a Citigroup report took law firms to task for their lack of openness regarding successful attacks on their systems.

Law firms typically only have basic security, such as spam filters, firewalls and anti-spyware, according to the American Bar Association's Legal Technology Survey Report for 2015. Only 41 percent of law firms use encryption or file-access restrictions. Fifteen percent of law firms included in the study had experienced a breach.

"Outside the USA there has been little interest by foreign law firms in investing in cyber security and for mounting competent cyber defense capabilities," Philip Lieberman, president and CEO of Lieberman Software, said in a statement sent to eWEEK. "The fact is of great value to many criminal and nation state activities in the exploitation of weak security within law firms."

So far, there is little evidence as to whether the Mossack Fonseca leak resulted from a hack or insider theft. The law firm, in a statement to Reuters, blamed a "limited hack," but other reports have indicated that the breach may have been caused by a disgruntled employee.

Law firms hold their clients' most sensitive secrets and typically have a poor understanding of cyber-security, making them ideal targets for attackers.

"The implications of law firm breaches are mind boggling," Lieberman said. "It is a simple step for a criminal to move on to attacking an appropriate law firm to harvest their files. For a criminal this could mean the ability to manipulate stocks, access the personal records of principals within the companies, and provide a way to blackmail a person based on information not publicly known."

Mossack Fonseca did not reply to emailed requests for comment.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...