My first reaction after reading accounts about the breach of a vast trove of financial and related information from the Panamanian law firm Mossack Fonseca was to channel John Le Carré and his famed Panamanian tailor/spy Harry Pendel.
However, the reality is much less interesting. The story is actually about a company with third-rate security that gets exploited by a routine hack.
While the details of the attack on Mossack Fonseca haven’t been fully revealed, and while there’s a great deal of hay being made by newspapers reporting details about prominent people who have offshore financial accounts, the really important story is about what was’’t in the breach. And no, I’m not talking about the puzzling lack of involvement by Americans. What’s clearly lacking is even the most basic attempt at protecting the firm’s client data.
The firm’s founding partner, Ramon Fonseca, has revealed in an interview with Reuters that the attack that allowed hackers to make off with something over two terabytes of sensitive scans and images along with other information was an external hack. He said that this was not an inside job. That’s a surprising confession made only a couple of days after the hack was discovered and after the contents of the firm’s files were published far and wide in newspapers and on Websites.
So what really happened? Security experts I’ve talked to tell me that Mossack Fonseca was almost certainly the victim of a spear-phishing attack, with an email that released malware that opened up access to the firm’s network. That would make Fonseca’s statement correct, since it doesn’t appear that an insider knowingly unleashed the malware or emailed the data to co-conspirators.
But here’s where it gets tricky. Even if the attack came from outside, the information on who to target in the attack had to come from somewhere. The fact that the entire digital assets of the firm appear to have been laid bare would indicate that the target had to be someone very senior in the firm, or that the firm simply allowed any employee to look at anything on its servers. So where did the information on employees with privileged access come from?
The chances are very good that the critical information came from inside the firm, perhaps unwittingly. The names of some of the lawyers at the firm can be found on the company’s Website with minimal effort. The names of the principals are public, but which of these people to attack? A list of partners with their email addresses could be all that was needed.
Well placed emails were all that was required to carry out the recent spate of CEO spear-phishing attacks that have recently struck companies of all sizes. A senior person at a company gets an email with a plausible request for information that seems to be from someone they know.
Panama Papers Breach Reveals Astonishingly Lax Network Security
The executive provides the requested information and clicks. That’s all it takes.
“It’s very easy because a lot of companies don’t have a lot of security awareness education programs on how to avoid being spear-phished,” said Tyler Cohen Wood, a security advisor at Inspired eLearning.
Wood is a former Defense Intelligence Agency senior intelligence officer and cyber-deputy division chief, who has over 16 years working on security issues at the Department of Defense. She said that many breaches can be avoided with some fairly straightforward training in recognizing a spear-phishing attack.
Unfortunately, it doesn’t really matter how access was gained because once inside the hackers had their way with the firm’s data. Apparently none of it was segmented, none seemed to have access restricted to specific people, none of it was encrypted and apparently nobody was paying attention to the network traffic. How else can you explain how over two terabytes of data was exfiltrated from the company’s network with no one noticing?
The theft of so much data could have been enabled by what Wood calls an “unintentional insider,” which is someone who provides the critical information for penetrating a network without realizing that they are doing so. She said that such gaps in security can be reduced by appropriate training.
But much of the blame at the firm goes beyond just training employees. Like Target before its breach, apparently there was nothing to prevent someone who had access to the network from getting anywhere on the network they wanted, including some highly sensitive areas that contained the private information of clients.
Worse, there appears to have been nothing in the way of intrusion detection. How else can you explain the ability to move that much data out of a network without anyone noticing? Even if someone had walked into the law firm’s office with a portable hard drive and started copying, the process would have taken hours or days. If the breach was done remotely as the firm claims, it could have taken weeks to siphon off all that data.
Regardless of how the perpetrators breached the network, the fact is that lax security practices at Mossack Fonseca must have played a role. Otherwise, even if hackers had managed to get in without assistance, they couldn’t have downloaded so much data.
There are important lessons in the Mossack Fonseca breach, not the least of which is to pay more than lip service to security. Even if it’s not possible to eliminate all breaches, it’s still possible to limit the damage.
Hopefully the firm will take steps to lock things down. And hopefully when all those Icelandic, Russian and Chinese leaders go looking for a private place to shelter the proceeds of their graft, they’ll check the service provider’s security before they do anything else.