Offshore law firm Appleby confirms data breach

Appleby, a major offshore law firm based in Bermuda, has confirmed it has suffered a data security incident in 2016 that resulted in some of their data being compromised.

It’s doubtful that the wider public would have ever known about this were it not from the US-based International Consortium of Investigative Journalists (ICIJ) and partner media organisations, who got in touch with the company in order to confirm some of the things included in documents that have apparently been stolen following the hack.

It is expected that stories based on those documents are soon to be published, so the law firm decided to get ahead of the publications and get their side of the story.

About Appleby and the breach

Appleby employs 470 people and operates from 10 offices across the world (mostly in other tax haven around the world). It advises “global public and private companies, financial institutions, and high net worth individuals, working with them and their advisers to achieve practical solutions, whether in a single location or across multiple jurisdictions.”

Unfortunately, the statement does not include any details about the actual breach. The company simply states that they’ve reviewed their cyber security and data access arrangements in the wake of the breach, and that these arrangements have been tested by a “leading IT Forensics team.”

“We are disappointed that the media may choose to use information which could have emanated from material obtained illegally and that this may result in exposing innocent parties to data protection breaches. Having researched the ICIJ’s allegations we believe they are unfounded and based on a lack of understanding of the legitimate and lawful structures used in the offshore sector,” the company added.

“We are an offshore law firm who advises clients on legitimate and lawful ways to conduct their business. We do not tolerate illegal behaviour. It is true that we are not infallible. Where we find that mistakes have happened we act quickly to put things right and we make the necessary notifications to the relevant authorities.”

The revelation of the breach comes a year and a half after news items based on the “Panama Papers,” a set of 11.5 million documents leaked from the networks of Panama-based law firm Mossack Fonseca, began to be published.

That breach is thought to be a consequence of some very lax security practices.

Security problems

“Privacy and discretion are at the heart of a business like Appleby, therefore a breach of this kind can have serious repercussions on the organisation as a whole. Financial information, particularly tax arrangements, can be as sensitive as medical information and if exposed can be the source of embarrassment and reputational damage for Appleby’s clients – even if they are not breaking any laws, it’s the public perception that can be damaging,” Andy Waterhouse, EMEA Director at RSA Security, commented for Help Net Security.

“When selecting partners, these individuals expect that their data will be highly guarded to prevent such exposure. The fact that they have been exposed in this way creates a huge break in trust with Appleby and could have serious ramifications in the long term on its own reputation as a vault of secrecy,” he noted.

“What is even more worrying is that this breach occurred in 2016 but is only now coming to light, and the details at present are scant. While it is impossible to be 100% secure – any company can be breached – when people’s lives are hanging in the balance, being able to quickly identify exactly what customers have been impacted, what data has been lost, and how that happened is essential.”