What Does The Panama Papers Leak Mean For Database And Website Security?

A man, a plan, a canal, Panama.
Panama may be famous for its canal, but the actions of one disgruntled banking employee mean this Central American country may soon become more synonymous with papers. The recent leak of 11 million financial documents from Panamanian law firm Mossack Fonseca has had wide-ranging implications, not just for financial and political figures, but for the world’s IT and security industries.
What the Panama Papers reveal is fascinating and highly controversial, but what they signify in terms of IT security has been largely overlooked. This was the biggest data leak in history, occupying 2.6TB of hard drive space and including 4.8 million emails, three million databases and over two million PDF files. Two thousand times larger than the WikiLeaks cables, the Mossack Fonseca leak involved almost every document the law firm had amassed over a 40-year period.
The precise circumstances surrounding the Mossack Fonseca leak remain understandably murky, with rumors attributing the breach to everyone from the CIA to Russian president Vladimir Putin. To the best of our knowledge, it seems a disgruntled employee contacted a German newspaper through an encrypted chat network offering to publicize what they regarded as criminal activities. Cryptographic apps were apparently used for initial communications, with all conversations (and some hardware) erased afterwards. The files themselves were leaked in batches far too large to be distributed via email, and it’s believed that encrypted hard drives were involved. The recipients then created and shared a database with selected global media organisations, using a 2FA search engine accessible through a specially commissioned URL.
If one person can release four decades’ worth of dubious tax activities over a period of months without being detected, companies around the world need to urgently consider the security of their own confidential information. It is clearly impossible to prevent a truly committed individual committing such an act, but it should be relatively straightforward to reduce the likelihood by adding extra security layers. To begin with, it’s important to consider what information might actually be harmful – exposing someone’s banking history would be far more damaging than releasing their name and address, for instance.
Although Mossack Fonseca’s attempts to blame the leak on an email server hack have been widely discredited, it seems obvious that unencrypted .PSTs or unsecured inboxes represent a potential weak link in many companies’ IT infrastructures. It may be prudent to store sensitive information in offline private servers, which can’t be hacked. Access to these servers should be restricted to the most senior IT and management personnel, possibly requiring two people to gain access, rather like the twin-ID entry systems used in secure military installations.
One relatively simple security enhancement would involve creating an automated activity log whenever an employee attempts to access particular folders. For instance, internal access to a secure hard drive could be uploaded to an online log, hosted externally and consequently beyond the scope of tampering. That could potentially identify any individual who logged in and then copied the files to a remote device, or accessed sensitive data in unusual ways (such as repeatedly, or late at night). Security software can already flag up spikes in outgoing traffic or large-scale file transfers, meaning a routine check wouldn’t attract attention whereas sudden mass exfiltration would.
One final tip for companies concerned about data security is to commission a report from an industry expert, who can investigate their computer systems and identify potential weaknesses. From segregating files in different secure locations through to keystroke logging, firms in possession of confidential or potentially damaging information can do a great deal to avoid becoming the next Mossack Fonseca.

VPS keeps security as our top priority. Learn more at VPS.net