Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

The World Largest Data Breach Comes From a Law Firm

April 7, 2016

It appears that we will have jaw-dropping revelations from what has become known as the Panama Papers for a long time to come. The Panamanian law firm that was breached was Mossack Fonseca, which provides services including incorporating companies in offshore jurisdictions such as the British Virgin Islands. It is the fourth largest provider of offshore services. 2.6 terabytes of data – some 11 million files – were exposed, along with the sort of offshore hiding of monies that has become the stuff of legend in the last few decades. The documents span an almost 40-year period from 1977 when the law firm was formed.

An anonymous source passed the data to the German newspaper Suddeutsche Zeitung, which has shared them with the International Consortium of Investigative Journalists. The Consortium is assisting in analyzing them. The BBC says the documents show how the law firm has helped clients launder money, dodge sanctions and evade taxes.

Iceland's Prime Minister has resigned, the first prominent political fallout from the leaks. But the firm itself is coming under scrutiny, the BBC reporting that it worked with 33 individuals or companies who have been placed under sanctions by the U.S. Treasury, in some cases continuing the representation after the sanctions were in place.

Vladimir Putin was apparently involved with $2 billion in offshore accounts. A member of FIFA's Ethics Committee (that has GOT to be a misnomer) was exposed. Others included drug dealers, arms traders, human traffickers and fraudsters.

Since 100 media outlets broke the story on Sunday, each day continues to bring revelations – and we are by no means done.

So far, though Mossack Fonseca has blamed "an e-mail server attack," no one seems to believe it. The scale of the breach suggests much more than finding a password or tricking a user into opening a malware-infested attachment. So said Naked Security in its story acknowledging that we don't yet know how the hackers did it. Or was it an insider?

What other experts have concluded, and John and I are inclined to agree, is that the amount of data exfiltrated from the law firm suggests that it didn't have any sort of data loss prevention protection.

Though we haven't seen much about the American individuals/companies cited in the leaked data, it has been widely reported that such information will be made public shortly.

Hat tip to Chris Haught.

E-mail: Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
http://www.senseient.com
http://twitter.com/sharonnelsonesq
www.linkedin.com/in/sharondnelson

Sharon D. Nelson, Esq.
President

Subscribe in a Reader

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Ride the Lightning

The World Largest Data Breach Comes From a Law Firm

Subscribe for More!

Recent Posts

Listen to the Podcast

Disclaimer