Industry reactions to the Mossack Fonseca data breach
The Panama Papers, a collection of 11.5 million files leaked from Panama-based law firm Mossack Fonseca, are now online. The documents show in detail just how exactly the world’s 1 percent manipulate offshore wealth.
Here are some of the comments Help Net Security received.
Philip Lieberman, President of Lieberman Software
The implications of law firm breaches are mind boggling since parties within lawsuits provide full disclosure of their chosen law firms as a matter of public record. It is a simple step for a criminal to move on to attacking an appropriate law firm to harvest their files. For a criminal this could mean the ability to manipulate stocks, access the personal records of principals within the companies, and provide a way to blackmail person based on information not publicly known.
In the case of foreign or illegal transactions, the files of law firms may contain account numbers, pin codes, passwords and other elements of accounts that may be exploited by an attacker. Many clients rely on the sanctity of confidentiality to keep their business secret, avoid taxes and potential incarceration.
The lesson that clients should learn here is that it is up to the client to inspect the cyber warfare capabilities of their law firm and if there is little to show, then they should consider their confidentiality blown. Clients should not be comfortable with assurances that everything is fine or that the law firm has passed their audits. Audits do not test the ability of a law firm to sustain its security when attacked.
Clients should ask their firms about whether they are regularly penetration tested by different firms, have segregated networks, use multiple levels of cryptography, use air gapped networks, use automated privileged access and privileged identity management system to rotate all sensitive passwords on every system every 2-24 hours worldwide.
There are some law firms with excellent automated and adaptive cyber defense capabilities, but many are stuck in the dark ages of wigs, candles to read by, and quill pens to write with. Clients deserve modern and properly funded cyber defense capabilities from their law firms – they are certainly paying more than enough to law firms for them to have proper defenses.
It is inevitable that there will be a law firm breach that will result in the bankruptcy of one or more law firms for gross incompetence, negligence, and malpractice as a result of a cyber-attack. In the future, law firm partner disbarment could occur as a result of a lack of fundamental law firm security as the courts evaluate what normal and reasonable care should be for attorneys that use Internet connected systems.
Luke Brown, VP and GM EMEA, India and Latam at Digital Guardian
Putting aside the fact that the leaked emails and documents appear to include information about illicit operations, for the victims, a data breach of this scale could have life altering or, at the very least, distressing effects.
Ultimately, the breach may trigger serious legal repercussions against Mossack Fonseca. Data protection should be of the utmost importance in environments like this and yet we have seen a growing number of data breaches in law firms over the last few months.
This latest case reinforces the need for “data aware” security technologies in the legal sector. If Mossack Fonseca had such technologies in place, it could have prevented its most sensitive emails and files from being copied, moved or deleted without approval or permission. Companies must learn from incidents like this and better protect their IT environment, with the ability to apply security at the data-level being of the utmost importance.
Brian Spector, CEO at MIRACL
As far as hackers are concerned, any legal firm represents a treasure trove of personal and financial data – but this latest attack is an absolute goldmine. Protecting your clients’ data is a fundamental part of being a lawyer, so it’s difficult to see how this firm can recover from a hack of this magnitude.
Whilst it is too early for a more detailed analysis, the attack vectors commonly used to initialize attacks of this magnitude are to gain access by stealing employee credentials. The credentials are still all too often simply user name and password. Attackers know that when a password, irrelevant of how complex the password may be, is successfully stolen, the attacker can get access to internal systems and work their way to sensitive information – and steal it all.
The underlying issue is that the username and password system is old technology that is not up to the standard required to secure the deep information and private services that companies and individuals store and access online today. In order to retain their customers’ trust, online services need to remove the password from their systems altogether, and implement rigorous authentication technologies.
Dodi Glenn, VP of Cyber Security at PC Pitstop
Given the bits of information we’ve already seen, I suspect many people will be caught in a lot of turmoil in the near future, as the documents are further analyzed and more information is disclosed to the public. It’ll be interesting to see how many individuals come forward, admit they were caught, and resign from their positions.
From a security standpoint, the amount of content leaked seems to dwarf Wikileaks’ Cablegate from 2010, but it’s hard to say at this point how the data was taken – whether it was an insider, a phishing attack, or malware.
Long story short, if you want to keep something confidential, don’t put it on a computer specifically one connected to the Internet. The very second you do that, you can assume the data can be purloined.
Stu Sjouwerman, CEO at KnowBe4
Since it was a mailserver that was hacked, it is likely that the hackers were able to get in using social engineering tactics, sending a well-crafted spear-phishing attack which tricked an employee to give their email account credentials to the hackers.
With credentials to get into the mail server, they probably were able to monitor email traffic for months, and ultimately social engineer a system administrator to get their admin credentials. Once you have these, you have the “keys to the kingdom” and can exfiltrate any files you want, even terabytes.
Obviously Mossack Fonseca did not have the right policy, procedure and tools in place to prevent a hack like this.