The recent news on the Panama Papers state it is the largest data leak ever. A total of 11.5 million documents were leaked to journalists, comprised of 4.8 million emails, 3 million database files, 2.1 million PDFs and 1.1 million images. It seems this data covers over 40 years of information retained by the Panamanian law firm Mossack Fonseca. The firm provides corporate services, such as creation of offshore shell companies.
The data was originally shared by an anonymous person to journalists at a German newspaper. The data was then shared with the International Consortium of Investigative Journalists. Journalists from over 75 countries reviewed the data. The data was released by the source over a year, beginning in 2015. Journalists have released some findings and plan to release more in coming weeks.
Information about the actual leak is still vague. It is reported that the law firm was running WordPress with plugins that were 3 months out of date and had known vulnerabilities. According to Wordfence, a WordPress plug-in software company, the law firm’s web server was not behind a firewall. Additionally, the web server was on the same network as the email server. It is possible that the hacker accessed the email server through the WordPress server.
Emails are reported to have not been encrypted and the client portal had not been updated since 2013. The out of date Drupal software used for the portal had an estimated 25 vulnerabilities. To further compound the cyber security risks, the server was misconfigured and the Outlook Web Access login had not been updated since 2009.
Key Lessons for Small Businesses
- Make sure your WordPress, Drupal, and plugins are patched frequently. Have your IT person check at least monthly to ensure the latest updates are installed. If a WordPress theme is not being updated by the developer, change the theme. A pretty layout and graphics are not worth the cyber risk.
- Place servers behind firewalls. The investment in a good firewall is worth it and prices can be very affordable even for small businesses. Have your IT person review your configuration.
- Review your network configuration with your IT person. Have them explain why it is secure in its current state and where any vulnerabilities exist.
- Make sure your law firm (and other partners that hold your sensitive information) have strong security. Ask to see their latest security audit. Evaluate the risk level if they were to lose your data and make sure they provide the protection you need.
- If you are a significant client of a supplier, don’t be hesitate to request an external security company perform a cybersecurity audit. You have as much to lose as they do if they suffer a data breach.
Learn more about how to protect your small business or nonprofit by attending our specialize training specific to your needs. Details, schedule, and registration can be found here.
Blog entry. (2016, April, 8). Wordfence. Retrieved from https://www.wordfence.com/blog/2016/04/panama-papers-wordpress-email-connection/
Garside, J. (2016, April 16). Panama Papers: inside the Guardia’s investigation into offshore secrets. The Guardian. Retrieved from http://www.theguardian.com/news/2016/apr/16/panama-papers-inside-the-guardians-investigation-into-offshore-secrets
Greenberg, A. (2016, April 4). How Reporters Pulled Off The Panama Papers, The Biggest Leak in Whistleblower History. Wired. Retrieved from http://www.wired.com/2016/04/reporters-pulled-off-panama-papers-biggest-leak-whistleblower-history/
Gross, G. (2016, April 5). The massive Panama Papers data leak explained. Computer world. Retrieved from http://www.computerworld.com/article/3052218/security/the-massive-panama-papers-data-leak-explained.html
Temperton, J. and Burgess, M. (2016). The security flaws at the heart of the Panama Papers. Wired.Co.UK. Retrieved from http://www.wired.co.uk/news/archive/2016-04/06/panama-papers-mossack-fonseca-website-security-problems
The Panama Papers (2016, April 3). A new ICIJ investigation exposes a rogue offshore industry. Retrieved from https://panamapapers.icij.org/blog/20160403-new-icij-investigation-exposes-rogue-offshore-industry.html