For a law firm like Mossack Fonseca, which built its entire reputation on secrecy, it was the worst-case scenario. 11.5 million documents, and more than two terabytes of data, blowing the secrets of its clients wide-open. Scores of celebrities, world leaders, and businesses with offshore accounts having their dirty laundry aired in the wind.
In short, as far as data breaches go, it doesn’t get much worse than this. There’s no mitigating what happened, no public relations spin that’ll help the leak’s victims repair the damage. I’d even go so far as to wager that Mossack Fonseca may well be dead in the water at this point (or at the very least, looking at some hefty litigation).
Honestly, they deserve it.
No, not because they helped established hundreds of thousands of shell companies and offshore accounts. In some cases, that sort of thing’s perfectly legal. No, the reason I’ve no sympathy for Mossack Fonseca is that if you look at analyst commentary on how the leak likely progressed, it reads like a step-by-step guide to botching network security.
- The attackers likely gained access to Mossack Fonseca’s networks through a spear-phishing attack. It’s not clear who they targeted, but that employee had access to pretty much everything. Either they were a higher-up, or this was one of those companies where everyone had admin access (they exist).
- The firm’s data was neither segmented nor encrypted. Again, I emphasize: the attackers had near-instant access to everything.
- Either there was no monitoring taking place for suspicious activity, or no one was paying attention. How else can it be explained that someone made off with two terabytes of data without being noticed? That would be like the real-world equivalent of stealing a bus in broad daylight.
- The firm had no way of controlling the documents once they were outside their (lax) security perimeter.
In short, at the end of the day, Mossack Fonseca paid lip service to security in an industry where they should be doing the exact opposite. They’ve no one but themselves to blame for this breach. But on the plus side, at least they can serve as a cautionary tale to the rest of us, right?
Everyone likes to pretend security is some complicated, arcane thing – but it really isn’t. With even a halfway-competent security team, it’s possible to lock down a network against intrusion and protect sensitive data from theft. Look at the Panama Papers breach as a cautionary tale of what can happen when you fool yourself into thinking security isn’t a priority.