Following the massive 2.6 terabyte leak from the Panamanian corporate service provider and legal firm Mossack Fonseca, a sentiment emerges among security professionals assessing the wreckage at the secretive company.
In addition to the unsettling practices that the firm appears to have engaged in, the sheer volume of data released by the International Consortium of Investigative Journalists' Panama Papers brings a startling awareness of the potential damage of weak information security practices to a legal firm and its clients.
The dizzying quantity of data contained in the Panama Papers dwarfs the data released through Wikileaks by approximately 1,500 times. The files include more than 11.5 million confidential documents, 4.8 million emails, three million database records, and 2.1 million PDF files. The full list of companies is expected to be released early next month.
The leaked documents were released less than a week after a report of the federal investigation that brought the cybersecurity practices of US law firms Cravath Swaine & Moore LLP and Weil Gotshal & Manges LLP into the limelight.
A question lingers: will law firms' weak cyber practices begin to shift following these startling examples?
The two incidents “should catch law firms' attention,” a cybersecurity professional, who wanted to remain anonymous, told SCMagazine.com.
Based on the amount of data that was reportedly exfiltrated from Mossack Fonseca, SAS director of cyber strategy Christopher F. Smith projected that the organization probably didn't have DLP (data loss prevention). “After you were in inside the perimeter, you basically had access to the keys to the kingdom.”
Several security pros agreed, noting that the leaks underscore the lack of preparedness among legal firms regarding insider threats. In a similar vein, intelligence agencies abruptly learned this painful lesson after the Snowden revelations almost three years ago.
“The Panama Papers leak appears to show just how critical it is that firms safeguard their information, not just from external forces, but also from inside adversaries,,” said Ari Juels, professor at the Jacobs Technion-Cornell Institute and member of the Cornell Tech Security Group, in comments sent via email to SCMagazine.com. “In general, it's difficult to create systems and policies that strike an appropriate balance between enablement of legitimate whistleblowing and protection against outright theft of data.”
Mossak Fonseca “has now become a poster child for the shortcomings of widely relied upon security solutions,” wrote Seclore chief executive Vishal Gupta, in an email to SCMagazine.com. “Unless data-centric security solutions capable of persistently controlling use of documents are in place, there is very little likelihood Mossak Fonseca, or any data breach victim, can remediate the damage done from this incident.”
Organizations must “get away from this old-school thinking of ‘Inside good, outside bad,' ” said Smith at SAS. “That doesn't exist anymore.”
If users “want to keep something confidential, don't put it on a computer specifically one connected to the Internet,” warned Dodi Glenn, vice president of cybersecurity at PC Pitstop. “The very second you do that, you can assume the data can be purloined.”
The incident may prompt long-term repercussions that extend beyond the walls of Mossack Fonseca's worldwide offices and the properties of its ultra-rich clients.
Mark Sangster, vice president of marketing at eSentire believes the leak may trigger a new regulatory landscape for law firms. “We're seeing many cases of insider data breaches that involve leaking sensitive data for front running trades or more malicious intent,” he said. “Until now, the legal industry has generally operated within a loose set of cyber security guidelines. However quickly, we expect to see hardline compliance rules and fines come to firms with sub-standard cyber security defenses in the future.”
“That is a failure,” said Smith. “If you can move 2.6 terabytes into or out of an organization, it is a problem.”