The recent revelation that millions of documents were stolen from the Panamanian law firm of Mossack Fonseca has led to news stories about how the firm allegedly helped clients hide money and avoid taxation. Founding partner Ramon Fonseca has said that the theft was the result of a hack to the firm’s systems, and that the hack itself is the real story. He has a point.
A quick primer for those who haven’t been following the story: In 2015 a hacker stole 2.6 terabytes of data from Mossack Fonseca’s systems. The data consists of 11.5 million documents spanning over 40 years, and includes emails, database files, and PDF documents. The data was turned over to the German newspaper Süddeutsche Zeitung which in turn enlisted the help of the International Consortium of Investigative Journalists (ICIJ) to analyze the documents. News reports began to appear on April 3, 2016. Süddeutsche Zeitung published an excellent overview of the data theft.
There have been multiple reports speculating about how the hack took place and who was behind it. The consensus now seems to be that the hacker, who identified himself as “John Doe”, obtained access to Mossack Fonseca’s systems via an insecure email server. This is what the firm told its clients. There have also been reports that a failure to patch certain software may have been the cause.
We don’t know who the hacker is. Mossack Fonseca apparently has ruled out the possibility that any insider was responsible. I’ve seen suggestions that the hacker is American because he used the name “John Doe”. At least one person has speculated that the hacker is someone within the CIA. The hacker has said he acted because, “I want these crimes to be made public”.
The theft of the “Panama Papers” teaches several cyber risk lessons.
Lesson 1: Patch! Companies must be conscientious and diligent about patching software to address security vulnerabilities. If Mossack Fonseca had done that the data theft might have been prevented.
Lesson 2: Purge! Companies need to avoid keeping more data than is necessary. It isn’t always necessary to keep data going back decades. A good information security program will include regular reviews of data being retained and purges of data that is no longer needed. If a company decides to keep old electronic data, it should not be accessible on the company’s network. Air gap security is best in that situation.
Lesson 3: Defend! Companies need to implement computer security systems that will detect outflows of data so that data theft can be prevented by identifying and closing security gaps.
A firm that is vulnerable in the way Mossack Fonseca was needs to be prepared for the tremendous financial consequences of a breach event like this. Many professional service firms continue to believe their professional liability policies will cover them for cyber events. While the policies might respond to lawsuits from clients, they won’t cover first party costs such as notifications to clients and data protection authorities, and legal and public relations expenses. Those policies also may not cover regulatory claims. They definitely will not cover loss resulting from reputational damage. Cyber insurance policies can help, but they need to be carefully constructed to cover the data security risks the company is most concerned about. Specialty policies covering reputational harm are also available.