When it comes to cyber security breaches, there have been some real doozies. In fact, there have been some appalling breaches in just the past couple of years. Just look at the 2014 hit on Sony that resulted in the broadcast of executive emails and the resignation of key executives (following the 2011 attack on Sony’s PlayStation Network that reportedly cost the company over $170 million dollars).
How about the 2015 attacks on health insurance providers (Anthem, Blue Cross), banking institutions (JPMorgan Chase and Co.), dating website Ashley Madison (which you’d think would have abundant security considering the secretive nature of its adulterous clientele), and even the government (Federal Office of Personnel Management, or OPM)? That’s not even mentioning the many data breaches on mega-corporations like Target and Home Depot.
The point is that no one, not even the largest, richest, and most powerful organizations in the world, is exempt from attempted (and probably successful) hacking. However, the Panama Papers incident has been cited as exceeding all of these breaches in scope.
The data breach (of which The Guardian news outlet provided a handy primer here), which resulted in the theft and subsequent publication of 11.5 million files from the databases of Panamanian legal firm Mossack Fonseca (the fourth largest offshore firm in the world), exposed the firm’s wealthy clientele, including a variety of world leaders. Included in the revelations was evidence implicating Russian President Vladimir Putin, Pakistani Prime Minister Nawaz Sharif, and Icelandic Prime Minister David Gunnlaugsson (among others) in shady and potentially illegal offshore activities.
Is there any good to be gleaned from this incident? If your business is the type to learn from the mistakes of others, the answer is yes. Perhaps the nature of the Panama Papers incident can serve as a warning. Here are a few things you could learn from this historic data breach.
The Attack was Simple
Since the Panama Papers leak, the method of the attack has come to light, and apparently the breach exploited a well-known weakness so simple that it could have been perpetrated by a child, much less a hacker of some skill.
This prompts the question: what are you doing to protect your website and network? Firewalls, antivirus programs, password protection, encryption, and monitoring are all great, but you need to stay up-to-date with known issues if you want the best chance to bolster your security and fight off intrusion. If you’re like most companies, you’re not even taking some of these common steps.
Valuable Data was Up for Grabs
As a business owner you know that some types of data are more valuable than others. For example, client names might not be as valuable as their social security numbers or credit card numbers.
Unfortunately, Mossack Fonseca failed spectacularly to adequately protect any of their client’s data, regardless of the relative value or need for privacy and confidentiality. In fact, it was discovered in the aftermath that sensitive data was regularly transferred via unsecured email, which would make it all too easy to get a hold of, even in the absence of the scope of hacking that occurred.
Additionally, data of a more sensitive nature was not compartmentalized and stored behind extra layers of security. Hackers had no trouble accessing and stealing everything, including the most private client data.
No One Noticed Unusual Activity
Simple network monitoring software or services could have easily spotted the enormous data transfer that occurred during the hack on Mossack Fonseca (amounting to 2.6 TB of data). This size of transfer is astronomical, and it should have immediately set off alarms and notification – if only proper monitoring had been in place.
It’s no surprise that the Panama Papers leak had consequences for both the company and its clients. For example, David Gunnlaugsson stepped down as Prime Minister of Iceland following the leak, which revealed conflicts of interest in deals brokered after the financial crisis.
Other prominent world leaders were also revealed to have practiced unethical or even illegal activities relating to Mossack Fonseca, the least of which revolved around tax avoidance while the worst offenders appear to have stolen money from the very countries and people they represent. This, of course, is a worst-case scenario for any business, but the lesson is clear.
A company that allows such a data breach will lose clients, one way or another. Whether they leave due to lack of confidence or they find themselves so personally compromised by leaked data that they can no longer continue to function professionally, the company that allowed the breach is likely to be compromised beyond repair.