Panama Papers breach was the result of lax security practices?

News items based on the so-called “Panama Papers,” a set of 11.5 million documents leaked from the networks of Panama-based law firm Mossack Fonseca, keep popping up, but it’s still unknown who the person behind the leak is and how he or she managed to get ahold of the documents.

The leaked emails, PDF files, photos, excerpts of an internal company database cover a period from the 1970s to 2016. In total, 2.6 terabytes of data have been stolen from the company.

That huge amount of data couldn’t have been exfiltrated in a short time, and one wonders how the company failed to spot the data going out.

But maybe that astonishment is misplaced, as bit by bit details of the company’s poor security posture are coming out.

What does Mossack Fonseca say?

In a notification sent to its customers, Mossack Fonseca said that the hack happened on their email server. But that’s surely only part of the truth, because who keeps that much data (and very old data, at that) on an email server?

The company’s founding partner Ramon Fonseca also said that the hack and the leak was not an inside job, and that they have a theory about how it happened and are investigating it, but offered no more details. He noted that the Attorney General’s office received complaints and that a government institution is “studying the issue.”

Apparently, the company has hired (in Spanish) expert consultants to fix the security of their systems to prevent such an incident from happening again.

What do security experts say?

On the other hand, it seems that the company did an extremely poor job at securing the documents in the first place, and that’s something many of its customers (current and potential) are unlikely to forgive or overlook.

Apparently, there are many vectors that the hacker could have exploited to breach the company’s networks and systems.

Forbes reports how the the firm’s website ran a three-month old version of WordPress, and its customer portal most likely ran a three-year-old version of Drupal. That’s a lot of unfixed vulnerabilities that could have been easily exploited.

“The firm ran its unencrypted emails through an outdated (2009) version of Microsoft’s Outlook Web Access. Outdated open source software running the frontend of the firm’s websites is also now suspected to have provided a vector for the compromise,” says WP Tavern’s Sarah Gooding. She added that the firm’s main site is also loading a number of outdated scripts and plugins.

In addition to all this, the firm’s email servers haven’t been set up to encrypt emails.

Finally, it’s telling that the hacker offered the exfiltrated documents to a Süddeutsche Zeitung (SZ) journalist back in early 2015, and the company noticed that they have been breached only now. Security has obviously not been the company’s priority.

That’s not such a surprise as it should be. According to Dr Daniel Dresner, a lecturer in cyber security at Manchester University’s school of computer science, law firms often have a lax approach to security.

“There’s always a feeling in the legal fraternity that whatever happens they’ll be able to get off the wrap because they’re clever legal people,” he told Wired.

“People are now starting to realise that legal companies are a great target. When you think about the size of stuff that they’re negotiating, who they’re negotiating for and the number of different parties involved, the motivation is there for people who want a bit of insider information.”

The recent revelation that highly prestigious US law firms are being successfully targeted by hackers confirms this.