The Panama Papers Signal A New Kind of Cyber Attack
As a trove of leaked documents dubbed the ‘Panamanian Papers’ ripple across several nations, world leaders are feeling the heat. Russian President Vladimir Putin has called the exposure of offshore bank accounts an American plot, while Iceland named a new prime minister and British Prime Minister David Cameron admitted that he profited from an offshore trust. The Panama Papers represent the future of political scandal in the digital age – from the initial hack down to the cloud technology used to analyze the documents. Journalists Bob Woodward and Carl Bernstein, who famously took down Richard Nixon, could hardly have imagined working with millions of pages of confidential documents.
This generation’s Watergate will be conducted through shared folders and chatrooms. Mossack Fonseca, the hacked law firm, embodies the cyber risk to which many organizations have not yet woken up. Hackers are clearly after more than just credit cards and social security numbers. The breach is at once a glimpse into the brave new world of online leaks and a warning that all organizations should assume any sensitive information to be a potential target.
The Panama Papers is 1,500 times the size of Wikileaks’ 2010 disclosure, and the largest leak journalists have ever worked with and one distinctly belonging to the digital era. The sheer amount of data stolen could only logistically happen through an online hack: 11.5 million files totaling 2.6 terabytes equates to loads of books requiring 2,600 pickup trucks! Modern whistleblowers no longer have to sneak documents out of the office in a manila folder. They can extract an entire database to comb through remotely. The data dump of nearly every document from law firm Mossack Fonseca from the past 40 years represents what one journalist calls the Moore’s Law of Leaks, suggesting that disclosure sizes will grow at an exponential rate analogous to that of computing power.
The complex technology and execution behind the Panama Paper’s investigative operation would make any software architect proud. The journalists handling the data employed the latest information technology tools to download, share, and protect a huge database of sensitive information – a feat many companies would be challenged to accomplish. Initial outreach between whistleblower and journalist took place via encrypted messages. The team stored the photos encrypted in the cloud while journalists collaborated on findings in secure chat forums. Maligned by the government as a tool enabling terrorism, the use of encryption throughout this process validates claims of its application protecting privacy and political dissent.
The anonymous whistle-blower’s actions certainly resonate with anti-corruption principles, having revealed illegal and immoral activity from politicians and other public figures. The episode also raises concerns about privacy and the role of “hacktivism,” cyberattacks that are politically or ideologically motivated. Publicly releasing the entire cache of documents, as some have called for, calls into question the right to privacy of Mossack Fonseca clients, especially those who may not have committed illegal activity or do not hold public office. “Hacktivism” inherently takes decision-making away from the legal system. What happens when “hacktivists” act on behalf of principles or entities we consider deplorable or dangerous? Should the abuse of privacy of the innocent be considered unfortunate but necessary collateral damage? The Panama Papers demonstrate a new power for whistle blowers. Their legacies will depend on their judgment in wielding it.
Public figures are not the only ones now worried about their secrets. Mosack Fonsecca essentially exposed all of its sensitive client information, ruining its reputation for confidentiality. In the wake of this failure, every company is likely reevaluating the security of data and who they trust to store it.
It is tempting for organizations to view cybersecurity through a financial lens: social security numbers and trade secrets are valuable to hackers, but other data would not be worth their while to steal. Politically or ideologically motivated hackers are the wild cards of this risk formula. The Panama Papers theft forces organizations to assume that any sensitive information is a potential target for hackers, and that attackers could be driven by incentives other than purely financial. In other words, security’s task expands from guarding “what we think they want” to “what we do not want them to know.”
The greatest uncertainty lies with the data a company does not store itself. Every organization has partners with which it shares sensitive information. The average company exchanges data online with 1,555 partners, and not every partner will satisfy the security requirements that a bank or retailer requires. What makes matters worse is that one partner will often serve multiple corporations. The hack of a single online photo vendor affected customers of nearly all of the top North American drug store brands.
Then there are partners who receive a high concentration of confidential data. Mossack Fonseca stored a treasure trove of individuals’ financial secrets. How many companies store stockpiles of corporate secrets? Whether it is legal documents, intellectual property, or financial data, companies deal with information that would prove very troublesome if it fell into the wrong hands, like competitors or the public. As hackers’ methods and motives grow more complex, they are targeting information beyond the standard personally identifiable information (PII) that can be easily monetized.
Exemplifying this trend, anonymous sources revealed several top US legal firms suffered data breaches, with insiders suspecting hackers may have been after information to prey on many organizations. Mossack Fonseca’s was anything but an anomaly, as one senior partner reported, “Law firms are being deluged with attempts to crack their systems.” If the Target breach showed that hackers can use business partners to gain entry into corporations, these attacks demonstrate that business partners themselves now have information hackers want. In an unrelated incident, criminals hacked newswire services targeting the unreleased financial information in uploaded press releases.
How will the business landscape change in a world where organizations need to worry not only about their own cybersecurity, but that of the company sending out their press releases? Nearly half of companies do not evaluate the risk of vendors before transferring them data, but change may be underway. Law firms report facing more diligent scrutiny of their security capabilities, but all industries should pay attention to the missteps of Mossack Fonseca. The Panamanian firm employed outdated software with critical vulnerabilities, including that for its customer portal.
While the motives behind political leaks can be hard to predict, attacks on basic vulnerabilities are not. It will become harder for companies who handle sensitive information to get away with poor security practices.
The Panama Papers incident points to a brave new world in which no organization is a digital island. Every organization is at potential risk from every one of the bridges that connects it to others, and a cybersecurity lapse across any one of these bridges can become an existential threat.
Rajiv Gupta is CEO of Skyhigh Networks.