An epic release of confidential information, which has revealed
the questionable financial dealings of some of the world’s wealthiest people,
may have been made possible by the careless cybersecurity practices of a
Panamanian law firm.
Beginning in 2015, an anonymous individual who refers to
himself as “John Doe” provided German newspaper Suddeutsche Zeitung with a
massive cache of information taken from Mossack Fonseca, a Panama-based law
firm that caters to politicians, world leaders, celebrities, and professional
athletes. The information, dubbed the Panama Papers, included nearly 11.5
million emails, PDFs,
spreadsheets, passports, and other documents that revealed
the identities of some of the wealthiest and most powerful people in the world,
as well as their efforts to avoid paying taxes in their native countries. The
Panama Papers, which have been analyzed and disseminated by The International
Consortium of Investigative Journalists, have also identified dozens of major
banks that have helped facilitate the tax evasion practices used to keep the
rich from sharing their wealth.
How John Doe accessed the nearly 2.6 terabytes of data is
not clear, but it’s possible that the anonymous whistleblower hacked into the
law firm’s servers and helped himself to the information. Such a hack may have
been easier than one would imagine given Mossack Fonseca’s incredibly weak
cybersecurity practices.
Though the firm clearly had the necessary capital to invest
in sophisticated cybersecurity measures, there were dozens of vulnerabilities
which left plenty of doors open to hackers. Mossack Fonseca’s website was using
an outdated and vulnerable version of WordPress and a number of plugins that
were easy to invade. The version of the Revolution Slider plugin used by the
firm has numerous known vulnerabilities. Another outdated WordPress plugin
stored clients’ email addresses inside the database, and ALO EasyMail gave
hackers easy access to the firm’s email server.
The firm relied on Drupal content management software (CMS) that
hadn’t been updated since 2013, and would-be hackers had at least 25
vulnerabilities to choose from. All it would have taken to gain access to the
CMS portal was the stored user name and password of a single Mossack Fonseca
client. When they updated their payment CMS, they didn’t lock down a directory
which presented an avenue for infiltration. The firm’s Outlook Web Access had
not been updated since 2009.
Given the sensitivity of the information being kept by
Mossack Fonseca about their clients, and the dubious practices employed to help
them evade paying taxes, it is surprising how little thought was put into
security measures. But the prime ministers of Iceland and Australia, the
presidents of Argentina and Ukraine, the kings of Saudi Arabia and Morocco, and
a bevy of other world leaders may be paying the price for Mossack Fonseca’s
failure to protect their information.
