Try and do an information security risk assessment of a law firm your company uses. Give them an InfoSec security questionnaire to fill out and request key information security documents. And if they host a lot of your sensitive data ask for a SOC2 report or even a penetration test report.

What are the chances you will not get a major push back? What about your right to audit? Can you come onsite and validate some key security controls?

Do you think law firms have had a free pass? Do you think the Panama Papers lawsuit will change anything? The Panama Papers refers to more than 11.5 million of leaked documents that detail financial and attorney-client information of more than 214,000 offshore entities. Panamian law firm Mossack Fonseca created the leaked documents.

Do you think cyber crooks will take a peek at law firms more now – especially knowing how much sensitive data about people and corporations they may have? Is it all just about contractual terms and conditions?

Many of the bigger law firms have indeed taken information security seriously and thus have a sound information security program in place. But, as is with many industries, the real challenges continue to haunt in particular the medium and small firms, some of which have significant engagements with many big companies putting sensitive data at risk.

Let us just restate some of the facts we now know of the Panama Papers:

  • 11.5 million documents were revealed.
  • 2.6 Terabytes of data leaked.
  • Snitched by hackers and mooring at the feet of the Consortium of Investigative Journalists (ICIJ), who broke the story a year after obtaining them.
  • WIRED says it is “the biggest leak in whistleblower history” – bigger than Wikileaks Cablegate (2010) and Snowden’s NSA (2013) combined.
  • Law firm at the center of it – Mossack Fonseca.
  • Data spans almost 40 years (1977 to 2015) covering people and companies from more than 200 countries and territories – more than 214,000 companies – all available now in a searchable database.
  • Only 211 people with U.S. addresses. Bill Gates, on CNBC, said that was a surprise.
  • Anonymous whistleblower in 2014 at Mossack Fonesca contacted reporter Bastian Obermayer of the German newspaper Suddeutsche Zeitung and notified him about information related to criminal activities in Mossack Fonseca’s possession.
  • File types revealed: 4.8 million emails, 3 million in database formats, 2.1 million PDFs, 1.1 million images, 0.3 million text documents.

So what really was the issue? We may never know. But what we have so far gathered is that the Mossack Fonseca used two of the more popular content management systems (CMS) – WordPress and Drupal to run their public and client-facing websites respectively. The client portal was used to share sensitive documents with its clients. The code was written in PHP and is open source.

Wordfence, a WordPress security company, after in-depth analysis, figured out that the WordPress site was over three months out of date and their Drupal site was almost two years out of date. That’s not all – Mossack Fonseca used obsolete third-party plugins for WordPress that may have given hackers the free pass they needed.

Two industry stalwarts had weighed in:

“As far as hackers are concerned, any legal firm represents a treasure trove of personal and financial data – but this latest attack is an absolute goldmine. Protecting your clients’ data is a fundamental part of being a lawyer, so it’s difficult to see how this firm can recover from a hack of this magnitude.” – Brian Spector, CEO at MIRACL.

“I think it is arguable that no-one individual should have been able to access all of that information. Very often you find that information is not properly ring-fenced so if you know where you’re going, you can go onto a firm’s server and go into a different department. That kind of free access across a network should not be permitted.” – Peter Wright, solicitor and managing director at Digital Law UK.

Do you think that this, the largest data breach in Internet history, was caused by a lack of security best practices? Proper due diligence may not have been done. Improper access controls seemingly were in place.

How was the information protected? Were penetration tests and vulnerability assessments done on a regular basis and timely action taken to remediate at least the high and moderate findings?

All companies, not just law firms, must again look at this as an eye-opener – and rethink their information security strategy short term and long term. Know where your crown jewels are and how they are protected. Sounds simple and it makes sense – but often enough does not translate into serious action. Data leakage is a serious issue and one simple start is with information security awareness in a formal way across the depth of your organization – covering employees, contractors, and yes, senior management equally!

Leave a Reply