Legal
NEWS ANALYSIS: The "Panama Papers" - The Data Security Implications
A firm operating in the field of data security and privacy examines some of the issues around the massive leak - or theft - of account files based in Panama.
The “Panama Papers” saga, involving a leak, or theft, of a vast trove of data on accounts set up via a Panama-based law firm, has already embarrassed politicians, caused a high-profile resignation from Transparency International (the organisation exposing dirty money and ranking IFCs for good conduct), and even led to calls for certain jurisdictions linked to the UK, such as the Channel Islands, to be brought under direct control from London. Governments in the UK, Australia and New Zealand are examining evidence caused by the leak for possible leads.
This raises question marks about how far governments can or should go in using stolen data for investigations, and whether there needs to be a much clearer dividing line between legitimate privacy and client confidentiality, on one side, and illegitimate secrecy, on the other. (In recent years, for example, authorities in Germany have used data stolen from Switzerland, and paid for it with public funds.) After all, the risk of kidnap and extortion remains real enough to encourage many rich persons to take the risk of parking money in certain IFCs than tell all to the tax authorities. However, the fact that, for example, past dictators who have looted their countries have used secret accounts makes the issue particularly toxic. And any politicians in major democracies with links to offshore will be hit at the ballot box because such activity smacks of hypocrisy.
The offshore world has been through dramatic changes in recent years and now faces international regimes such as the Common Reporting Standard, more pacts over automatic exchange of information, and demands for public registers of beneficial ownership. And yet at the same time there are worries about the activities of hackers who while they might sometimes claim to have public interests at heart, may also be acting for political and criminal motives.
Against this background, MWR InfoSecurity, a firm operating in the fields of security and information protection, addresses some of the issues. The comments are from Zak Maples, a senior security consultant at the firm.
Elsewhere on Family Wealth Report today, Charles Lowenhaupt has written a comment about the saga and associated privacy implications for wealthy families.
Is this the first of many such “largest data leak in history” type stories, as organizations battle to close the floodgates?
Whilst this breach has been given the title as the largest data leak in history, this can be somewhat misleading. It has been reported to be the largest due to the size of the data leaked. However, there are numerous different ways to measure how big a data breach is, in both tangible and intangible ways. For example, is the largest data breach one which involves the most number of individual people? The one with the largest amount of data stolen? Or one in which there is the most impact? Whilst this is uncertain, one thing that is clear is that data breaches are becoming an all too common trend that are often causing irreparable brand and reputational damage to the businesses involved. This proves that businesses need to take cybersecurity seriously as a business problem and not just an IT problem.
What does an “attack on its email server” mean - what would the attack look like?
There has been very limited information revealed about the nature of the attack. Although early details point to a compromise of an e-mail server, it is MWR’s experience that further investigation is often required to firmly establish the cause of data breaches.
Should the e-mail server have been compromised it could have happened in multiple ways. The e-mail server could have been exposed externally to the internet and an attacker could have performed password guessing brute-force attacks to gain access to individual mailboxes. Alternatively, this could be part of a broader compromise of the organization. Once attackers have gained access to an organization’s network they will often look to elevate privileges and gain access to as many systems as possible. Attackers may have compromised the Mossack Fonseca network and elevated privileges to that of a domain administrator or similar and used these elevated privileges to access and download all the data contained on the e-mail server.
Do you think it was a lucky break or a planned attack - and assuming either, how could the hackers find “the gold”?
All cyber-attacks require a degree of planning but cyber criminals typically target several organizations in order to increase the chances of success. Issue motivated groups (or "hacktivists") have also been known to target multiple organizations in campaigns focusing on a central theme. In this way, attackers increase their chances of getting "lucky".
Whilst law enforcement activity has severely curtailed the activity of Anonymous and other issue-motivated groups, this is the type of high profile attack hacktivist groups will want to accomplish. Anonymous and other issue-motivated groups have made a lot of noise about the perceived power of the 1 per cent and position themselves as a group fighting against inequality. It is likely that these hacktivist groups, if not responsible, will see the impact of this breach and take it as inspiration to target similar offshore law firms offering similar services in the future.
How would an organization know something like this was happening and how could they stop it before the damage was done?
The key to organizations being able to defend against these attacks is to ensure they have an active cybersecurity program that allows them to predict, prevent, detect and respond to these attacks. All too often organizations fall into the trap of putting too many resources into trying to prevent an attack from happening in the first place, rather than understanding where security spending offers the most return on investment.
For example, what is equally important is ensuring organizations have the ability to detect an attack when these preventative measures fail and can swiftly respond to the attack. Whilst there is no silver bullet in security, in this specific case it has been reported that 2.6TB of data was exfiltrated from the organization. Detective controls that look for large spikes in data being transferred out of the organization and other data loss prevention (DLP) controls could have helped to prevent the data being exfiltrated or being widely disseminated.
What steps could be taken to prevent the success of such an attack in the future?
As mentioned, it is important that organizations have an active cybersecurity program in place that allows organizations to predict, prevent, detect and respond to these attacks. The priority of such a program should be the identification and protection of key business assets and IT assets. In the case of Mossack Fonseca, a key business asset would be the case files and private details of their clients. This would be mapped to numerous key IT assets, one of which would be the e-mail server due to the large number of e-mails containing this sensitive data. Thus, a focus of the cybersecurity program should be to implement controls that protect the e-mail server, detect when the e-mail server is under attack and allow for a swift response to contain and recover from such an attack.