Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

4/4/2016
12:50 PM
100%
0%

Panama Papers Leak Exposes Tax Evasion -- And Poor Data Security, Data Integrity Practices

Whether an insider leak or an outsider hack, an exposure of 11.5 million documents definitely falls under the infosec umbrella.

An enormous store of 11.5 million documents -- mostly emails -- leaked from Panamanian law firm Mossack Fonseca, has exposed illegal practices used by the rich across the globe to hide their wealth, disguise how they obtain that wealth, and avoid paying taxes. The 2.6 terabytes of data reveals secret information about the offshore holdings of political leaders and crime lords alike.

According to the report by the International Consortium of Investigative Journalists (ICIJ), published after a yearlong study of the documents by a collaboration of over 100 news organizations:

Reporters at [German newspaper] Süddeutsche Zeitung obtained millions of records from a confidential source and shared them with ICIJ and other media partners. The news outlets involved in the collaboration did not pay for the documents.

Before Süddeutsche Zeitung obtained the leak, German tax authorities bought a smaller set of Mossack Fonseca documents from a whistleblower, a move that triggered the raids in Germany in early 2015. 

From Reuters:

The head of Mossack Fonseca, Ramon Fonseca, has denied any wrongdoing but said his firm had suffered a successful but "limited" hack on its database. He described the hack and leak as "an international campaign against privacy."    

Whether or not the documents were simply leaked by a privileged insider or obtained through a hack of a database or email server, the exposure falls within the purview of information security. 

According to the ICIJ report, Mossack Fonseca's data integrity and retention practices were willfully noncompliant -- the firm regularly backdated documents and also destroyed them to evade a US government investigation. According to ICIJ

...the firm took steps to wipe potentially damaging records from phones and computers to keep details of their clients from the United States justice system. ... The documents even show that a firm employee traveled from Panama to [Las] Vegas to whisk paper documents out of the country.

For more, see the ICIJ report and The Guardian's guide to the report.

Related stories:

 

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Click here for pricing information and to register.

Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
paul.curran
50%
50%
paul.curran,
User Rank: Author
10/7/2016 | 12:06:50 PM
Re: It's an insider job for sure, otherwise theseamount of data can't be frisked out of the vaults
There could have been some insider help coupled with the critically insecure Drupal release and Wordpress image slider plugins that had not been updated/patched so safer versions in quite some time. In any case, it will be interesting to see the further international fallout that will occur as more of the dust settles.
hewenthatway
50%
50%
hewenthatway,
User Rank: Strategist
4/5/2016 | 5:18:08 PM
Re: It's an insider job for sure, otherwise theseamount of data can't be frisked out of the vaults
Whoa.

So much fanciful and sensationalized coverage on that ICIJ site w/ the report.

Either way, I'm amazed that they were able to keep the investigation under wraps while under review for over a year without it blowing up on the net.  Media is constantly adapting I guess.  I guess its nice to have a breakdown of findings after careful analysis rather than jumping to conclusions.  The raw data is so organized though.  Seems to be insider as another commenter had expressed.
Shawn@HomeSecurityList
50%
50%
[email protected],
User Rank: Apprentice
4/5/2016 | 8:15:23 AM
It's an insider job for sure, otherwise theseamount of data can't be frisked out of the vaults
Experts say this is the largest leak ever. As a security analyst it seemed there's more into it than simple hacking. Such a huge information can't be leaked without having the involvement of someone/some people who have access to such sensitive data and that's too in these tax havens. Though I've no sympathies for those who evade tax and park their money by opening false companies, it's absolutely true that there were supposedly no protocol followed in securing data. Though Ramon Fonseca has denied any wrongdoing, this amount of data can't be frisked out without serious security breach or insider job. Period.
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
4/5/2016 | 7:50:43 AM
Re: 100 Journalists and a Year? Does not smell right
That's an interesting one. It's obvious from the way Snowden has been treated that any leaker is not going to get much government protection, so it makes sense to stay in the shadows. 
WilliamM405
100%
0%
WilliamM405,
User Rank: Apprentice
4/4/2016 | 5:12:40 PM
100 Journalists and a Year? Does not smell right
More like an insider leaking data aka Snowden and the journalists are using a cover story and sharing the information to protect the leaker - how else does 2.5 terabytes leak out in a coordianted fashion?
Stop Defending Everything
Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
5 Common Errors That Allow Attackers to Go Undetected
Matt Middleton-Leal, General Manager and Chief Security Strategist, Netwrix,  2/12/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-7505
PUBLISHED: 2020-02-18
Stack-based buffer overflow in the gif_next_LZW function in libnsgif.c in Libnsgif 0.1.2 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted LZW stream in a GIF file.
CVE-2015-7567
PUBLISHED: 2020-02-18
SQL injection vulnerability in Yeager CMS 1.2.1 allows remote attackers to execute arbitrary SQL commands via the "passwordreset&token" parameter.
CVE-2012-0718
PUBLISHED: 2020-02-18
IBM Tivoli Endpoint Manager 8 does not set the HttpOnly flag on cookies.
CVE-2019-10791
PUBLISHED: 2020-02-18
promise-probe before 0.10.0 allows remote attackers to perform a command injection attack. The file, outputFile and options functions can be controlled by users without any sanitization.
CVE-2009-5146
PUBLISHED: 2020-02-18
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.