An epic release of confidential information, which has revealed the questionable financial dealings of some of the world’s wealthiest people, may have been made possible by the careless cybersecurity practices of a Panamanian law firm.
Beginning in 2015, an anonymous individual who refers to himself as “John Doe” provided German newspaper Suddeutsche Zeitung with a massive cache of information taken from Mossack Fonseca, a Panama-based law firm that caters to politicians, world leaders, celebrities, and professional athletes. The information, dubbed the Panama Papers, included nearly 11.5 million emails, PDFs,
spreadsheets, passports, and other documents that revealed the identities of some of the wealthiest and most powerful people in the world, as well as their efforts to avoid paying taxes in their native countries. The Panama Papers, which have been analyzed and disseminated by The International Consortium of Investigative Journalists, have also identified dozens of major banks that have helped facilitate the tax evasion practices used to keep the rich from sharing their wealth.
How John Doe accessed the nearly 2.6 terabytes of data is not clear, but it’s possible that the anonymous whistleblower hacked into the law firm’s servers and helped himself to the information. Such a hack may have been easier than one would imagine given Mossack Fonseca’s incredibly weak cybersecurity practices.
Though the firm clearly had the necessary capital to invest in sophisticated cybersecurity measures, there were dozens of vulnerabilities which left plenty of doors open to hackers. Mossack Fonseca’s website was using an outdated and vulnerable version of WordPress and a number of plugins that were easy to invade. The version of the Revolution Slider plugin used by the firm has numerous known vulnerabilities. Another outdated WordPress plugin stored clients’ email addresses inside the database, and ALO EasyMail gave hackers easy access to the firm’s email server.
The firm relied on Drupal content management software (CMS) that hadn’t been updated since 2013, and would-be hackers had at least 25 vulnerabilities to choose from. All it would have taken to gain access to the CMS portal was the stored user name and password of a single Mossack Fonseca client. When they updated their payment CMS, they didn’t lock down a directory which presented an avenue for infiltration. The firm’s Outlook Web Access had not been updated since 2009.
Given the sensitivity of the information being kept by Mossack Fonseca about their clients, and the dubious practices employed to help them evade paying taxes, it is surprising how little thought was put into security measures. But the prime ministers of Iceland and Australia, the presidents of Argentina and Ukraine, the kings of Saudi Arabia and Morocco, and a bevy of other world leaders may be paying the price for Mossack Fonseca’s failure to protect their information.