My first reaction after reading accounts about the breach of a vast trove of financial and related information from the Panamanian law firm Mossack Fonseca was to channel John Le Carré and his famed Panamanian tailor/spy Harry Pendel.
However, the reality is much less interesting. The story is actually about a company with third-rate security that gets exploited by a routine hack.
While the details of the attack on Mossack Fonseca haven’t been fully revealed, and while there’s a great deal of hay being made by newspapers reporting details about prominent people who have offshore financial accounts, the really important story is about what was’’t in the breach. And no, I’m not talking about the puzzling lack of involvement by Americans. What’s clearly lacking is even the most basic attempt at protecting the firm’s client data.
The firm’s founding partner, Ramon Fonseca, has revealed in an interview with Reuters that the attack that allowed hackers to make off with something over two terabytes of sensitive scans and images along with other information was an external hack. He said that this was not an inside job. That’s a surprising confession made only a couple of days after the hack was discovered and after the contents of the firm’s files were published far and wide in newspapers and on Websites.
So what really happened? Security experts I’ve talked to tell me that Mossack Fonseca was almost certainly the victim of a spear-phishing attack, with an email that released malware that opened up access to the firm’s network. That would make Fonseca’s statement correct, since it doesn’t appear that an insider knowingly unleashed the malware or emailed the data to co-conspirators.
The chances are very good that the critical information came from inside the firm, perhaps unwittingly. The names of some of the lawyers at the firm can be found on the company’s Website with minimal effort. The names of the principals are public, but which of these people to attack? A list of partners with their email addresses could be all that was needed.
Well placed emails were all that was required to carry out the recent spate of CEO spear-phishing attacks that have recently struck companies of all sizes. A senior person at a company gets an email with a plausible request for information that seems to be from someone they know.
The executive provides the requested information and clicks. That’s all it takes.
“It’s very easy because a lot of companies don’t have a lot of security awareness education programs on how to avoid being spear-phished,” said Tyler Cohen Wood, a security advisor at Inspired eLearning.
Wood is a former Defense Intelligence Agency senior intelligence officer and cyber-deputy division chief, who has over 16 years working on security issues at the Department of Defense. She said that many breaches can be avoided with some fairly straightforward training in recognizing a spear-phishing attack.
The theft of so much data could have been enabled by what Wood calls an “unintentional insider,” which is someone who provides the critical information for penetrating a network without realizing that they are doing so. She said that such gaps in security can be reduced by appropriate training.
But much of the blame at the firm goes beyond just training employees. Like Target before its breach, apparently there was nothing to prevent someone who had access to the network from getting anywhere on the network they wanted, including some highly sensitive areas that contained the private information of clients.
Worse, there appears to have been nothing in the way of intrusion detection. How else can you explain the ability to move that much data out of a network without anyone noticing? Even if someone had walked into the law firm’s office with a portable hard drive and started copying, the process would have taken hours or days. If the breach was done remotely as the firm claims, it could have taken weeks to siphon off all that data.
Regardless of how the perpetrators breached the network, the fact is that lax security practices at Mossack Fonseca must have played a role. Otherwise, even if hackers had managed to get in without assistance, they couldn’t have downloaded so much data.
There are important lessons in the Mossack Fonseca breach, not the least of which is to pay more than lip service to security. Even if it’s not possible to eliminate all breaches, it’s still possible to limit the damage.
Hopefully the firm will take steps to lock things down. And hopefully when all those Icelandic, Russian and Chinese leaders go looking for a private place to shelter the proceeds of their graft, they’ll check the service provider’s security before they do anything else.
Originally published on eWeek.
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…