NEWS ANALYSIS: The "Panama Papers" - The Data Security Implications

Tom Burroughes, Group Editor, April 6, 2016


A firm operating in the field of data security and privacy examines some of the issues around the massive leak - or theft - of account files based in Panama.

The “Panama Papers” saga, involving a leak, or theft, of a vast trove of data on accounts set up via a Panama-based law firm, has already embarrassed politicians, caused a high-profile resignation from Transparency International (the organisation exposing dirty money and ranking IFCs for good conduct), and even led to calls for certain jurisdictions linked to the UK, such as the Channel Islands, to be brought under direct control from London. Governments in the UK, Australia and New Zealand are examining evidence caused by the leak for possible leads.

This raises question marks about how far governments can or should go in using stolen data for investigations, and whether there needs to be a much clearer dividing line between legitimate privacy and client confidentiality, on one side, and illegitimate secrecy, on the other. (In recent years, for example, authorities in Germany have used data stolen from Switzerland, and paid for it with public funds.) After all, the risk of kidnap and extortion remains real enough to encourage many rich persons to take the risk of parking money in certain IFCs than tell all to the tax authorities. However, the fact that, for example, past dictators who have looted their countries have used secret accounts makes the issue particularly toxic. And any politicians in major democracies with links to offshore will be hit at the ballot box because such activity smacks of hypocrisy.

The offshore world has been through dramatic changes in recent years and now faces international regimes such as the Common Reporting Standard, more pacts over automatic exchange of information, and demands for public registers of beneficial ownership. And yet at the same time there are worries about the activities of hackers who while they might sometimes claim to have public interests at heart, may also be acting for political and criminal motives.

Against this background, MWR InfoSecurity, a firm operating in the fields of security and information protection, addresses some of the issues. The comments are from Zak Maples, a senior security consultant at the firm.

Elsewhere on Family Wealth Report today, Charles Lowenhaupt has written a comment about the saga and associated privacy implications for wealthy families.

Is this the first of many such “largest data leak in history” type stories, as organizations battle to close the floodgates?

Whilst this breach has been given the title as the largest data leak in history, this can be somewhat misleading. It has been reported to be the largest due to the size of the data leaked. However, there are numerous different ways to measure how big a data breach is, in both tangible and intangible ways. For example, is the largest data breach one which involves the most number of individual people? The one with the largest amount of data stolen? Or one in which there is the most impact? Whilst this is uncertain, one thing that is clear is that data breaches are becoming an all too common trend that are often causing irreparable brand and reputational damage to the businesses involved. This proves that businesses need to take cybersecurity seriously as a business problem and not just an IT problem.

What does an “attack on its email server” mean - what would the attack look like?

There has been very limited information revealed about the nature of the attack. Although early details point to a compromise of an e-mail server, it is MWR’s experience that further investigation is often required to firmly establish the cause of data breaches.

Should the e-mail server have been compromised it could have happened in multiple ways. The e-mail server could have been exposed externally to the internet and an attacker could have performed password guessing brute-force attacks to gain access to individual mailboxes. Alternatively, this could be part of a broader compromise of the organization. Once attackers have gained access to an organization’s network they will often look to elevate privileges and gain access to as many systems as possible. Attackers may have compromised the Mossack Fonseca network and elevated privileges to that of a domain administrator or similar and used these elevated privileges to access and download all the data contained on the e-mail server.

Register for FamilyWealthReport today

Gain access to regular and exclusive research on the global wealth management sector along with the opportunity to attend industry events such as exclusive invites to Breakfast Briefings and Summits in the major wealth management centres and industry leading awards programmes