A couple of weeks ago on 3rd April the world became aware of an alleged cyber-attack on the law firm of Mossack Fonseca in Panama. A couple of days later, it emerged that the attacker leaked over 2.6TB of data including over 4.8 million emails, 2.1 million .PDF files, 1.1 million images and 320,166 text files into the public domain. The files contained confidential financial information belonging to prominent politicians, actors, lawyers and business people.It was interesting to read the media coverage of this case. A lot of general media commentators cited the firms’ failure to update its WordPress and Drupal content management systems. While this did possibly contribute to the ease of access which the hacker(s) had, the roots of this hack lie a lot deeper.
Firstly, the data which Mossack Fonseca was holding was not encrypted. Given its confidentiality and headline worthiness, this was an egregious mistake. Storing confidential personally identifiable information in plain-text format is far from best practice. It should have been protected using AES whole-disk encryption or at a bare minimum stored using file-level encryption.
Next mistake was having a public-facing mail server dual-purposing as a document server. This means that a hacker having compromised their website could – with a little more work – hack into emails and then their documents. Easy peasy. Their mail server should have been in their DMZ protected by an external and internal firewall. The document server should have been put on an ultra-secure subnet, with stringent logging (monitored by experienced IT professionals who can spot anomalies quickly) and protected by an APT detection system.
Once they had their network structure secure, they could have then worried about the technicalities at the presentation and application layer of their network. Why was their email was not using TLS? Why was WordPress (with its one-click update function) or Drupal not updated? Why were their WordPress plugins not updated etc? (In other words, the stuff that Sky News talk about after there has been a cyber attack)
Lastly, for a business dealing with such confidential information of such prominent people, from media reports at least, there appeared to be a very low level of cyber-risk awareness present among senior or lower ranking staff. It might have just taken one employee to notice something was awry when 2.6TB of data was going into the ether.
As a result of failing to have a secure IT infrastructure and a cyber risk-aware culture in place, Mossack Fonseca got worldwide negative publicity and severe reputational damage to their business.