Now the fuss is over about the Panama Papers Leak, let’s examine a bit of what happened and if it could have been stopped.
So far known we can conclude the information was illegally acquired.
This leak is said to be one of the biggest leaks in history, so far. It is larger than the U.S. diplomatic cables released by WikiLeaks in 2010, and the secret intelligence documents leaked by NSA whistleblower Edward Snowden in 2013. Even Snowden, himself called the Panama Papers “the biggest leak in the history of journalism.”
What if you were part of a company that is supposed to keep all clients’ data confidential? What is the first thing you have in mind to try to stop any data leakage?
What you probably think in the first place is to protect from the outer world and hack attacks. It would work until one or more hackers manage to break or bypass your protection. And what happens when they enter? They get what they are after.
When the Panama Leaks are in question, it wasn’t just the hacker attack, the controversial thing and how they have managed to get in, but how they could have known what data to get and where that data was stored.
So, if you are a company and you keep your data nicely clustered, without it being anyhow protected, scrambled or encrypted, it would be very easy for your data to be breached and taken out for further analysis. It wouldn’t even take much time and maybe just a password or tricking a user into opening an attachment could do the job.
And if you are Mossack Fonseca, according to a screenshot posted on Twitter, an unauthorized attack of the email server may do the job.
Although the company promised to have “taken all necessary measures to prevent this from happening again,”, it obviously wasn’t enough. It hasn’t taken the most important step even before the breach had happened, by encrypting their online communication.
How could it have been stopped?
Although the data itself was definitely not on the email server and the email breach didn’t reveal all the information, it was a good starting point for further dig.
Since the emails were sent from an internal account, whoever did the email server attack could have read all the emails sent that might have contained sensitive data and passwords.
What is more, the one attacking and breaching the email server could end up gathering all incoming and outgoing attachments. That way they could end up having precious information not only about the company and their clients, but the whole network.
In order for this to be prevented and stopped, not only data encryption should be used, but end-to-end email encryption, too.
This kind of companies, keeping sensitive data, should consider protecting their communication in the first place. That way even an unintended password disclosure over email would be stopped from reaching anyone else but the one intended to get it.
We could make assumptions how everything happened and “Who let the docs out?“, but for this not to happen to your company you may consider encrypting your data and online communication.
Secure Swiss Data offers both individuals and enterprises encryption for their data and online communications and the ability to share their sensitive information safely and securely.