This blog was updated on October 18, 2017.

A Brief History of the Panama Papers

Much attention was paid to the political fallout and tax implications associated with the spring 2016 data breach of Panamanian corporate services firm Mossack Fonseca. It was one the largest data breaches in global history, even earning it a special nickname in the media: the Panama Papers.

Although the full scope of the data breach could take years to unravel, published reports confirmed that an anonymous source using the alias John Doe began providing German newspaper Süddeutsche Zeitung with Mossack Fonseca’s documents in early 2015. The documents chronicled how wealthy individuals leveraged offshore companies to conceal the ownership of valuable assets and/or to reduce their tax liability.

How Massive Was the Breach?

Eventually, the German newspaper enlisted the help of the International Consortium of Investigative Journalists (ICIJ) to analyze the volume of data that had been received. This was a truly massive amount of data, including:

  • 11.5 million confidential documents;
  • 4.8 million emails;
  • 3 million database format files;
  • 2.2 million PDF documents;
  • 1.1 million images; and
  • More than 320,000 text documents.

The newspaper received more than 240,000 company folders from John Doe. Individual company folders included email correspondence, PDF documents, pictures, passport copies and certificates. Süddeutsche Zeitung first published news of the data breach and the corresponding Panama Papers on April 3, 2016.

How Did This Happen?

The technical reasons behind the data breach have never been crystal-clear. However, analysis of Mossack Fonseca’s infrastructure revealed a few key issues:

  • A security test conducted by Christopher Soghoian and replicated by ITPro revealed that Mossack Fonseca did not encrypt its emails with Transport Layer Security (TLS) protocols. In a nutshell, TLS protocols protect emails from potential tampering or eavesdropping.
  • Wired reported that Mossack Fonseca’s mail system, Microsoft Outlook Web Access, was last updated in 2009. The analysis of the IT change log for the firm’s Client Information Portal revealed that it was last updated in August 2013. Security best practices dictate that infrastructure upgrades, software updates and patches should be applied promptly to address rapidly evolving vulnerabilities.
  • Wired’s research also revealed that Mossack Fonseca’s version of Drupal, an open-source content management system (CMS) used by the company’s Client Information Portal, contained at least 25 vulnerabilities, including a high-risk SQL injection vulnerability that could permit attackers to remotely execute arbitrary commands on the firm’s site.
  • According to published reports, Mossack Fonseca’s internal review of the incident indicated that it originated from an unauthorized breach of its email server.

Learn How to Effectively Manage Application Security Risk in the Cloud

Protecting Your Organization From Potential Attacks

The intention of this blog is not to assign blame or debate the legitimacy of international tax shelters. Rather, the purpose is to help you:

  • Evaluate your level of security preparedness from a potential cyberattacker’s perspective.
  • Protect your organization’s email communications from possible tampering.
  • Install software updates and patches more efficiently.
  • Reduce the likelihood and impact of SQL injection attacks.
  • Realize the value of an incident response team should a worst case scenario or hack occur.

In this way, you can be better prepared and hopefully prevent similar situations from happening to you.

10 Convenient Resources to Expand Your Security Knowledge

1. Watch Our On-demand Webinar, “Overcoming the ‘Alternative Facts’ on Web and Mobile Application Security”

In this on-demand session, IBM Executive Security Advisor Etay Maor explains why primitive security solutions such as anti-virus software can lure you into a false sense of security. He also recaps top security threats to be aware of from the OWASP Top 10 application security vulnerabilities listing and shares his unvarnished perspective on how hackers collaborate and share your information for their personal gain.

2. Consult a Complimentary Ponemon Institute Study on Application Security Risk Management

This IBM-sponsored Ponemon Institute study reveals organizations’ current application security risk management practices so you can benchmark your security maturity against theirs. Our companion blog provides straightforward recommendations about how you can improve your application security effectiveness.

3. Learn About ‘The 10 Most Common Application Attacks in Action’

This blog, written by Paul Ionescu, expands discussion of potential attacks beyond SQL injection to address all the Open Web Application Security Project (OWASP) top 10 vulnerabilities. There are links to detailed YouTube videos associated with each of the attack vectors so you can learn more about them.

4. Watch ‘OWASP Top 10 Vulnerabilities: No. 1 Injection’

You will recall that analysis of Mossack Fonseca’s Client Information Portal showed that the company’s IT infrastructure may have been vulnerable to SQL injection attacks. This detailed video provides you with an overview of the SQL injection attack vector and explains how you can protect your applications from such attacks.

5. Take Advantage of the Complimentary e-Guide: ‘Mitigate Business Risk Strategically With Application Security Management’

This comprehensive e-guide provides five convenient steps you can follow to effectively manage application security risk.

6. Check Out ‘A Security Protocol for the Internet of Things’

You will recall that the lack of TLS protocols may have made Mossack Fonseca more susceptible to potential cyberattacks. “A Security Protocol for the Internet of Things” discusses the importance of TLS protection, particularly as organizations expand rapidly into IoT.

7. Listen to ‘Is Your Security Staff Addressing the Top Three Data Challenges Today?’

In this on-demand webinar, Mark Wah and Anshul Garg, from IBM’s Data Security team, discuss how you can more effectively protect mission-critical data and overcome three data security-related challenges that many organizations face: people, process and technology.

8. Consult ‘The Importance of Having an Effective Incident Response Team’

This article by Kevin Joseph, a Cybersecurity Strategist at IBM, discusses the value of investing in an incident response team prior to a potential cyberattack.

9. Review ‘Silver Bullets to Address Emerging Threats and Maintain Your Security Posture’

In this blog, IBM’s Umesh Yerram provides seven clearly defined silver bullets to focus on as you bolster your long-term security strategy.

10. Read a Case Study Detailing How a Major Retailer Manages Patching More Effectively

In this case study, you’ll learn how a major U.S. retailer reduced the time it took to patch its 27,000 endpoints from a matter of days to a matter of hours.

Learn How to Effectively Manage Application Security Risk in the Cloud

More from Application Security

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today