Mossack Fonseca, the Panamanian law firm at the heart of the “Panama Papers” leak that has rocked the world of international politics and business this week, apparently had very weak security measure in place to protect is websites and data.
News organizations have been publishing stories this week about the law firm helped set up shell corporations and offshore tax havens for the world’s political and financial elite, but the stories all stem from a trove of 11.5 million documents — 2.6 terabytes of data — that was taken from the firm's files.
While many stories have and will be written about Mossack Fonseca’s business practices and whether any of its clients engaged in illegal activities, less attention has bene paid to how the breach occurred. Little is know about the identity of the leaker or their motivations, but according to Forbes, the leaker contacted a journalist at the German newspaper Süddeutsche Zeitung using an encrypted chat service. The newspaper then shared the documents with the U.S.-based International Consortium of Investigative Journalists.
Founding partner Ramon Fonseca told Reuters that all of the firm’s operations were legal and that it has never helped clients evade taxes or launder money. He also said the company’s emails has been "taken out of context" and misinterpreted by media outlets.
"We rule out an inside job. This is not a leak. This is a hack," Fonseca told Reuters. "We have a theory and we are following it," he added, without explaining further. "We have already made the relevant complaints to the Attorney General's office, and there is a government institution studying the issue," he added
Fonseca told Agence France-Presse that the firm thinks it was hacked by actors from outside Panama. “We have lodged a complaint. We have a technical report that we were hacked by servers abroad.”
So how did all of those documents get leaked? According to Wired, “the front-end computer systems of Mossack Fonseca are outdated and riddled with security flaws." Mossack Fonseca was running outdated software for many of its systems and networks, and had “failed to update its Outlook Web Access login since 2009 and not updated its client login portal since 2013,” according to Wired.
Forbes reported that it “discovered the firm ran a three-month old version of WordPress for its main site, known to contain some vulnerabilities, but more worrisome was that, according to Internet records, its portal used by customers to access sensitive data was most likely run on a three-year-old version of Drupal, 7.23. That platform has at least 25 known vulnerabilities at the time of writing, two of which could have been used by a hacker to upload their own code to the server and start hoovering up data.”
The hack exposes the need for law firms, no matter the size or their client base, to have security measures in place to protect confidential information. According to Forbes: “[Mossack Fonseca’s] emails were not encrypted, according to ACLU privacy and encryption expert Christopher Soghoian, whilst its websites were peppered with potential weaknesses, ripe for any willing hacker.”