Panama Papers: A data security disaster
The Panama Papers security breach is a juicy, made-for-the-Internet scandal. It has all the elements – secret off-shore accounts; involvement by international politicians, criminals, celebrities and sports stars; 11.5 million files cyber-filched from a law firm’s files and then leaked to the media.
A Google search for Panama Papers yields more than 10 million hits. The whole world is watching.
While most of the Panama Papers attention will focus on the salacious aspects, the breach of the Panamanian law firm Mossack Fonseca’s files exposes another dirty little secret – the trouble law firms have keeping clients’ data secure.
The Mossack Fonseca breach is hardly the first. In late March the Wall Street Journal reported that that the international law firms Weil Gotshal & Manges, and Cravath, Swaine & Moore and other firms suffered data breaches, putting attention on the potential consequences for law firms with lax security. The newspaper reported that other unnamed law firms, suffered data breaches and that federal prosecutors in Manhattan are investigating whether hackers used stolen information for insider trading purposes.
Additionally, a 2015 report from Citigroup’s cyber intelligence center warned of the threat of attacks on the networks and websites of big law firms.
The report said it was reasonable to expect law firms to be targets of attacks by foreign governments and hackers because they are repositories for confidential data on corporate deals and business strategies. The report noted that digital security at many law firms generally remains below the standards for other industries.
It said law firms were at “high risk for cyber intrusions” and would “continue to be targeted by malicious actors looking to steal information on highly sensitive matters such as mergers and acquisitions and patent applications.”
What’s the solution?
A good place to start is a recent article by the FTC. It lays out 10 basic security steps that all companies should take. It also tells one cautionary tale after another of companies that failed to meet one or more of these basic steps. It’s a must read – particularly for managing partners of law firms large and small.
Analyzing the Panama Papers breach in light of some of the basic steps outlined by the FTC, it is clear to see how it happened – and could have just as easily been prevented.
Early information concerning the hack points the law firm’s client portal as the Achilles heel. That portal is reportedly built on an aged version of Drupal, the popular open source data management project. Drupal is a very successful open source project. There is nothing at all wrong with using it. After all, open source software is the way applications are built today.
The issue here is that Mossack Fonseca failed to make certain that the version they were using was, and remained, secure. In fact, the version they were reportedly using had 25 or more known security vulnerabilities. “Known” meaning that these security vulnerabilities were publicly announced going back as far as 2013. “Known” meaning that anyone paying attention, anyone using Drupal to house extremely sensitive client data, should have been aware.
And “known” meaning that hackers and bad actors also had access to this security vulnerability data. Once security vulnerabilities in a widely used program like Drupal are announced, the race is on to see if the users of the affected open source component can fix it before the hackers exploit. In any event, Mossack Fonseca’s failure to keep current the version of Drupal in use was – in a word – negligent. And avoidable.
Given the sensitive and valuable nature of the information that they were processing using Drupal, and the foreseeable damage that would result from a breach, the law firm owed their clients a much higher level of diligence around their processes and procedure.
It has been reported that the firm outsourced development of their web site and client portal to a third party service provider. Turning our focus back to the FTC’s guidance in that regard numbers 8 and 9 jump out.
Security step #8: “Make sure your service providers implement reasonable security measures”. Be clear with your expectations. Make sure your service providers fully appreciate the level of sensitivity around the work they are doing and the absolute need to get it right. And be sure to regularly verify their work.
Security Step #9: “Put procedures in place to keep your security current and address vulnerabilities that may arise”.
Securing software is a never-ending process
If you are using proprietary software, be sure to implement updates as they are, as soon as they are issued. For open source software, which makes up anywhere from 35% to 50% of the average code base, the process is a bit trickier. Deploy products that 1) automate the process of inventorying your open source and that 2) continuously monitor of the open source you’re using and that 3) send you automatic alerts as soon as any open source products under management are identified as having a known security vulnerability.
The Panamanian law firm will likely argue that they did nothing wrong. The FTC would say otherwise. In any event, it is the absolute responsibility of all law firms, hospitals, insurance firms and other institutions that hold personal information to redouble their security efforts because the bad guys are getting smarter and will exploit security weaknesses.
Your clients, customers, patients, etc. have a reasonable expectation that their information is secure. They have a reasonable expectation that your firm is meeting (or exceeding) the minimum standards the FTC has established.
Start each day thinking about security. You won’t regret it.