Artificial IntelligenceCryptocurrencyMetaverseCybersecurityTech Forward

The Laughably Bad Security at ‘Panama Papers’ firm Mossack Fonseca

April 9, 2016, 3:14 PM UTC
PANAMA-PAPERS-MOSSACK-FONSECA
View of a sign outside the building where Panama-based Mossack Fonseca law firm offices are in Panama City, on April 4, 2016. A massive leak -coming from Mossack Fonseca- of 11.5 million tax documents on Sunday exposed the secret offshore dealings of aides to Russian president Vladimir Putin, world leaders and celebrities including Barcelona forward Lionel Messi. An investigation into the documents by more than 100 media groups, described as one of the largest such probes in history, revealed the hidden offshore dealings in the assets of around 140 political figures -- including 12 current or former heads of states. AFP PHOTO/ Rodrigo ARANGUA / AFP / RODRIGO ARANGUA (Photo credit should read RODRIGO ARANGUA/AFP/Getty Images)
Photograph by Rodrigo Arangua AFP/Getty Images

There are many lessons to be learned from this week’s leak of the so-called “Panama Papers,” but here’s some real news you can use: If you’re a law firm dealing with the highly sensitive financial information of the world’s most powerful people, you should probably update your software more than once every seven years.

It’s still not clear precisely how a giant trove of documents detailing offshore tax shelters made its way out of the Panamanian law firm Mossack Fonseca, and into the hands of journalists around the world. But in an examination of the firm’s public-facing systems, experts speaking with Wired UK found them riddled with a jaw-dropping array of security vulnerabilities.

Get Data Sheet, Fortune’s technology newsletter.

Mosseck Fonseca’s client portal, according to Wired, runs on a version of Drupal last updated in 2013, and vulnerable to an array of attacks, including one that would allow attackers to execute commands on the site. Another weakness allows access to the site’s backend just by guessing the right web address.

Just as bad is the firm’s webmail portal, which runs Microsoft (MSFT) Outlook Web Access, and hasn’t been updated since 2009. The firm also did not encrypt its emails. As one expert speaking to Wired put it, “They seem to have been caught in a time warp.”

For more on the Panama Papers, watch our video:

In internal documents, Fonseca told customers that an email hack was at least partly to blame for the document leak. Given the very comprehensive nature of the data still being combed through by journalists worldwide, it seems unlikely that either email or a customer portal were the source of all of it. But if the firm’s internal data systems were maintained as negligently as its frontend, it might not have been a huge challenge to extract 26,000 pickup truck-loads worth of extremely sensitive secrets.