Posted on June 3, 2016 by staff

UK firms should learn the lessons of Panama Papers


In April, news broke that 2.6 terabytes of data –equating to 11.5m documents – were leaked from a Panamanian law firm called Mossack Fonseca. Dubbed the Panama Papers, it became the biggest leak in history, dwarfing the data released by the Wikileaks organisation in 2010. Since then, many of the firm’s high profile clients have been the subject of negative front page headlines all over the world. But how did it happen and could the UK experience a similar breach? Katherine Lofthouse investigates.

Mossack Fonseca might disagree with the adage that there’s no such thing as bad publicity.

The involuntary star of the world’s biggest data breach is now the subject of various investigations but the question remains: how did it happen at all?

Technical error provided the means and human error provided the opportunity. It created a perfect storm for a security breach that might have been avoided – or at the very least mitigated – if it had been tackled earlier.

Mossack Fonseca’s IT systems were not fit for purpose and had multiple potential weak points. Tech experts have pointed out that the company’s Outlook Web Access portal was out-of-date and its content management system was built on open-source software Drupal.

Open-source projects can be more attractive to attackers, says Mark Blackhurst, co-founder and director of Manchester-based marketing agency Digital Next.

“It’s a numbers game. It’s easier for attackers to put spam and bad content into sites they know and because so many sites are built in, say, WordPress, if they build a simple script to attack WordPress sites then chances are they’re going to get a positive hit back.”

One potential point of entry in the case of the Panama Papers was an unpatched plugin – an add-on third party software that businesses can use to do specific tasks without having to build it themselves.

They are one of the easiest ways of being breached, says Blackhurst.

“The best thing is to keep your website, plugins and password up-to-date,” he says. “That’s usually how people get hacked because they leave it to run for six months unpatched.

“It’s like keeping a car up-to-date with its MOT – you can’t buy a website and leave it to rot on the internet, you have to look after it and make sure it’s well serviced.”

James Maude, senior security engineer at Manchester-based security software firm Avecto, says: “Open source isn’t inherently more vulnerable.

“It comes down to organisations like Mossack Fonseca keeping their security up-to-date and having multiple layers of security so that if one fails another will take over.”

Andy Hague, managing director of Manchester-based security firm Secarma, says: “With a breach that size they would probably have noticed in seconds if they had any kind of monitoring in place.”

According to Hague, the biggest problem is that too many companies are complacent.

“It’s a great example of not appreciating what you’ve got and protecting it,” he says.

“Most companies still don’t think it will happen to them; that just because they don’t hold any customer credit card details they aren’t a target.

“What they don’t realise is that any aspect of your data can be monetised by an attacker.”

So could a similar breach happen in the UK? Colin Robbins, managing consultant at Nottingham-based security firm Qonex, thinks it could.

“One of the interesting elements of the story is that the breach happened over an extensive period of time,” he says. “Chances are some UK law firms have already been ‘done over’, they just don’t know it yet.”

BusinessCloud contacted a number of big-name UK law firms on the issue but they were staying tight-lipped.

“We’ve been asked not to comment on this matter,” was the response of one managing partner.

With cyber attacks taking place on businesses of all sizes, Digital Next’s Blackhurst says it’s vital that firms are proactive.

“Most hacking situations are reactive,” he says. “We’re told by the client that they’ve been hacked, or they notice a story about it online, and then they react.

“You need proactive solutions so that as soon as something happens you know about it. It’s never going to be fool-proof because of how fast the internet is moving but protecting yourself is about how you partner with someone who will educate you along the way.

“Partner with whoever developed your website –if you have a maintenance agreement then that partner is there and someone you can rely on – and also invest more heavily in a firewall, the fence that sits around your site, so you can hear the noises of an attack before it happens.”

Mike Carter, technical director at Warrington-based Drupal specialists Ixis, says companies can make themselves safer by setting up alerts.

“Products like Drupal have systems built in to alert their owners when systems are out of date or insecure,” he explains.

“In the case of the Mossack Fonseca leak either the admins would have had them turned off or they were simply not aware of what the messages meant and how critical they were.”

To ensure that you can recognise these warning signs, knowing your system is also important, he continues. “A lot of clients that approach us to look after their site aren’t even aware of what tech is underneath the pretty design.

“There were lots of different bits of open-source software involved in the Mossack Fonseca system and any part of the chain that’s not kept up to date and secure can create a possible hole for someone to get through.

“If you’re now looking at your site and are worried, do a health check – a security audit of both the software and the whole infrastructure the platform is built on.

“It’s similar to basic things like the fire brigade checking your smoke alarm every Tuesday. Our client sites are constantly checked every day but updates come out once a week so we check for them.”