The Panama Papers

Possibly the most significant data breach of our age.

Panama City Skyline

We’ve seen data breaches come and go; they make headlines for a couple of days, maybe a couple of weeks and are largely forgotten, except by those whose data has been compromised and their subsequent victims.

The ‘Panama Papers’ take data breach to a whole new level, they’ve already cost the Icelandic Prime Minister his job, and have made life very uncomfortable for David Cameron, the British Prime Minister, even if his sins would appear to be of lack of communication rather than financial impropriety. They’re not alone, though, 12 national leaders are listed among the 143 politicians.

Well, Mossack Fonseca – the source of the data breach – is the world’s fourth biggest provider of offshore services; it has acted for more than 300,000 companies, more than half of which are registered in the UK or British administered tax havens.

The scale of the breach in itself is mind boggling – 2.6 terabytes of data, comprising 11.5 million documents – extracted from Mossack Fonseca’s systems. That dwarfs the 1.7 gigabyte ‘Wikileak’ in 2010 or the 3.3 gigabyte leak of files from HSBC in 2015.

The most recent breach is thought to have taken place in December 2015, but papers are currently being analysed by 370 reporters from 100 media organisations. The documents take the form of 4.8m emails, 3m databases, 2m PDFs, 1m images and 320,000 image files.

And the source of the breach?

Well the smart money currently suggests that Mossack Fonseca were using WordPress and Drupal plugins that stored database credentials in clear text.

The Mossack Fonseca client portal was running on a version of the Drupal CMS that was known to be insecure, with over 23 vulnerabilities known to the InfoSec (and presumably the hacker) communities.

So, what’s the moral of this particular story?

Well aside from the whole question of offshore tax havens, the simple lesson for the InfoSec community is to ensure that you are running the latest versions of all your software, and all patches are applied in a timely manner.

While payment data hasn’t been leaked in this situation, this is something that the PCI DSS Standard clearly covers in section 6.2 (a) “Are all system components and software protected from known vulnerabilities by installing applicable vendor-supplied security patches?”