Skip to Content

The Laughably Bad Security at ‘Panama Papers’ firm Mossack Fonseca

View of a sign outside the building where Panama-based Mossack Fonseca law firm offices are in Panama City, on April 4, 2016.Photograph by Rodrigo Arangua AFP/Getty Images

There are many lessons to be learned from this week’s leak of the so-called “Panama Papers,” but here’s some real news you can use: If you’re a law firm dealing with the highly sensitive financial information of the world’s most powerful people, you should probably update your software more than once every seven years.

It’s still not clear precisely how a giant trove of documents detailing offshore tax shelters made its way out of the Panamanian law firm Mossack Fonseca, and into the hands of journalists around the world. But in an examination of the firm’s public-facing systems, experts speaking with Wired UK found them riddled with a jaw-dropping array of security vulnerabilities.

Get Data Sheet, Fortune’s technology newsletter.

Mosseck Fonseca’s client portal, according to Wired, runs on a version of Drupal last updated in 2013, and vulnerable to an array of attacks, including one that would allow attackers to execute commands on the site. Another weakness allows access to the site’s backend just by guessing the right web address.

Just as bad is the firm’s webmail portal, which runs Microsoft (MSFT) Outlook Web Access, and hasn’t been updated since 2009. The firm also did not encrypt its emails. As one expert speaking to Wired put it, “They seem to have been caught in a time warp.”

For more on the Panama Papers, watch our video:

In internal documents, Fonseca told customers that an email hack was at least partly to blame for the document leak. Given the very comprehensive nature of the data still being combed through by journalists worldwide, it seems unlikely that either email or a customer portal were the source of all of it. But if the firm’s internal data systems were maintained as negligently as its frontend, it might not have been a huge challenge to extract 26,000 pickup truck-loads worth of extremely sensitive secrets.