twitter facebook rss

#panamapapers and Mossack Fonseca’s Reckless, Feckless IT Security: Was That Breach a Privacy Curse or a Transparency Blessing?

Posted by on April 9, 2016.

…the tight-lipped Mossack Fonseca (believed to be an industry leader)

The Economist, 2012

Readers will doubtless have noticed that someone has recently loosened Mossack Fonseca’s lips, quite a lot, by way of an utterly monumental hack. 2.6TB of business emails and documents, covering the affairs of Panamanian law firm Mossack Fonseca’s sometimes rich and politically exposed, sometimes corrupt, and always very shy international clients, dating back as far as the mid-70s, are now in the hands of the world’s press, as “Panamapapers”.

With its live-or-die reputation for the strictest discretion now utterly annihilated, Mossack Fonseca looks pretty unlikely to be an industry leader for much longer. Mind you, other Panamanian law firms, “aghast“, are wondering how much of an industry will be left for anyone to lead, once the dust has settled.

While the citizenry takes to the streets to protest, in Brazil, Moldova, Malta, Iceland, Argentina and good old Blighty, China keeps its moneyed politicians out of the Chinese news, and Putin shrugs the whole thing off.

So much for the global impact of Mossack Fonseca on the popular mood. Let’s have a quick look at Mossack Fonseca’s amazing IT security. By way of indication that all is not well in their security thinking and practice, note that Mossack Fonseca seem to have had two huge security breaches in the last year or so. One was a leak, from their Luxembourg office. 80GB of emails and documents ended up in the hands of the Süddeutsche Zeitung (my English).

The Mossack Fonseca Group, of Panama, is one of the largest suppliers of shell companies. The Süddeutsche Zeitung has obtained thousands and thousands of their documents and hundreds of thousands of their emails.

Evaluation of this mountain of data is far from complete, but one thing is already clear: Mossack Fonseca has a problem.

Before taking his trove to the newspapers, the leaker had sold subsets of the data to at least two tax authorities, reportedly trousering $1Mn or so by way of bounty. Süddeutsche Zeitung analyzes the prospects:

According to the documents, at least three more large German financial companies are entangled in alleged criminal activity in Luxembourg and Panama, including state-owned banks. For years, just like Commerzbank, these companies obtained shell companies for rich clients from Mossack. The financial industry expects further raids on more banks in the coming weeks.

After that it went a bit quiet, but in October, the other culprits emerged, rather reluctantly (my English):

To our tax investigators, the Luxemburg subsidiaries of several German banks have started looking a bit…Spanish, lately. That includes private firms such as Commerzbank and HypoVereinsbank as well as state-owned banks: Landesbank Baden-Württemberg (Stuttgart) und HSH Nordbank…

In each case, the banks paid tens of millions of Euros in fines. The bills their clients paid were not reported, as far as I can tell.

Given the stakes in liability and reputation, you’d think that Mossack Fonseca would immediately have initiated a top to bottom data security review, worldwide, back in March 2015.

That’s clearly not quite what happened. Wired, who, presumably with a sense of unbelievable luck, crawled through some of Mossack Fonseca’s still-exposed IT infrastructure straight after the April 2016 mega-hack, has the dope:

The law firm at the centre of the Panama Papers hack has shown an “astonishing” disregard for security, according to one expert. Amongst other lapses, Mossack Fonseca has failed to update its Outlook Web Access login since 2009 and not updated its client login portal since 2013.

Mossack Fonseca‘s client portal is also vulnerable to the DROWN attack, a security exploit that targets servers supporting the obsolete and insecure SSL v2 protocol. The portal, which runs on the Drupal open source CMS, was last updated in August 2013, according to the site’s changelog.

On its main website Mossack Fonseca claims its Client Information Portal provides a “secure online account” allowing customers to access “corporate information anywhere and everywhere”. The version of Drupal used by the portal has at least 25 vulnerabilities, including a high-risk SQL injection vulnerability that allows anyone to remotely execute arbitrary commands. Areas of the portal’s backend can also be accessed by guessing the URL structure, a security researcher noted.

The company’s client portal, which it boasts gives customers access to “corporate information anywhere and everywhere”, runs on an outdated open source CMS with at least 25 vulnerabilities.

Mossack Fonseca’s webmail system, which runs on Microsoft’s Outlook Web Access, was last updated in 2009, while its main site runs a version of WordPress that is three months out of date. A further vulnerability makes it possible to easily access files uploaded to the backend of Mossack Fonseca’s site simply by guessing the URL.

It’s a trainwreck, isn’t it? “Precisely what vulnerability the attacker used is not known“, says Wired, bemused by the range of possibilities.

It is utterly unclear what lasting effect will be felt in the offshore financial industry from the Mossack Fonseca leak. There are a few pointers towards much greater risk and expense, at any rate. Employees with access to sensitive data now know that the starting price for information of interest to tax authorities is $1Mn and could be a multiple of that: retirement beckons for the nerveless, well-positioned and underpaid. Idealistic and not-so idealistic hackers, state sponsored or private, can see a vista of easy pickings among Mossack Fonseca’s competitors. Insurers and cloud services providers can see an unmanageable liability risk of incalculable size. Offshore clients can now see the catastrophic risk of exposure: loss of reputation, and prosecution.

Those are serious headwinds for this perennially seedy and opaque industry; if you are not up to speed, there’s some colourful detail on that seediness here, from a veteran observer.

What of the privacy implications of this kind of hack, though? Says Ramon Fonseca: “Each person has a right to privacy, whether they are a king or a beggar”. I daresay he’d be a more sincere-looking privacy advocate if his own firm hadn’t casually made such a spectacular mess of securing its clients’ data; but then, he doesn’t have to believe what he says himself: he just has to make sure his clients and sponsoring politicians believe it.

The journalists involved would presumably invoke the public interest, and that looks persuasive to me, subject to scruples about naming and shaming innocent bystanders. What’s different about this leak is the scale, not the nature of it.

Still, there are more serious privacy commentators than Mr Fonseca, and they can see a problem, which the panamapapers have now emphasised. The last word goes to one of them, legal commentator David Allen Green, in the FT and at the JackofKent blog:

Some of those who are loudest in their support for the leak of the Panama Papers will, on other occasions, also be those who campaign for greater data privacy and for the routine use of encryption. Just as there seems to be a form of cognitive dissonance on the part of those officials and politicians who simultaneously want greater surveillance of citizens by the state and weaker freedom of information rights for citizens against the state (which I have written about here), there is a corresponding but inverse tendency to celebrate large data leaks while calling for a total right to data security.

It is almost as if the language of “fundamental” rights has been appropriated for partisanship: data security is an “absolute” entitlement for the Good Guys but not for the Bad Guys. But any “fundamental” or “absolute” protection that is dependent on the virtues of those being protected is neither fundamental nor absolute.

2 thoughts on “#panamapapers and Mossack Fonseca’s Reckless, Feckless IT Security: Was That Breach a Privacy Curse or a Transparency Blessing?

  1. Do you really think 2.6TB of online documents can be hacked? I was reading some blogs in the last week that regard this as an insider job. In fact, kind of agree with the insider job theory. In fact, in your blog you’ve pointed out there was an 80GB leak at Mossack Fonseca earlier. That means there was something going on at the top level of the firm’s hierarchy. Therefore, the most logical thing here is the insider job document leak rather than hacking. Please point out if there’s any lacunae in my logic.

    • Yes I really think 2.6TB of documents can be hacked. Based on MF’s current web site speed it would take about 150 days without download management, maybe 40 days with. Add some overhead for whatever manual intervention was needed and you have got, what, 2-3 months maybe. That fits the relevant parts of the accounts given by both MF and ICIJ.

      So I am not sure why you think the insider job theory is worth bothering with. It looks like a leap, given the available info. That’s lacuna 1.

      Firms with that have dire MF-style IT security visible typically don’t have a good internal security policy either. Even if you are right about the inside job, it’s another big leap to conclude that someone senior in MF had anything to do with it, except by virtue of neglect. That’s lacuna 2.

      Short version: in principle you could be right, but you have no supporting evidence yet. Over to you to find it.

Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: News_hacks, News_politics, News_privacy, Richard Smith |