In-brief: the Panama-based law firm at the center of a massive data leak said that more than 11 million documents were taken from his firm by “hackers” and defended its reputation and practices.
The Panama-based law firm at the center of a massive data leak said that more than 11 million documents were taken from his firm by “hackers,” even as the firm issued statements defending its reputation and practices.
Bloomberg reported on Monday that Ramon Fonseca, the co-founder of the firm Mossack Fonseca, confirmed to a local Panama television station that a hack was the source of the leak of more than 2 terabytes of files and parts of an internal database. Details of the hack were not provided, but other outlets – citing “Panama insiders” have suggested that a former employee at the firm may have also played a role in the leak.
The stolen data formed the foundation of revealing reports from the publication Sueddeutsche Zeitung and the International Consortium of Investigative Journalists (ICIJ) on Sunday.
Those reports lay bare the workings of a firm that is a top facilitator of shell companies. The leaked internal files contain information on 214,488 offshore entities connected to people in more than 200 countries and territories, the ICIJ reported, saying it will produce a full list of the companies in May. “Off shore” companies promise favorable tax policies. Such corporate entities are often legitimate – and even necessary. But they can also be used to shield money from taxation or launder illicit proceeds.
Mossack Fonseca released an extensive rebuttal to the published reports, defending its work on behalf of clients and saying that it conducts “thorough due diligence on all new and prospective clients.” The firm has “never once in its history been charged with criminal wrong doing or even been formally investigated in connection with allegations of the same,” the company said in a statement. (PDF)
However, the public statements said nothing about the details of the breach. Security experts noted that law firms are frequent targets of attacks, including sophisticated and targeted hacks seeking sensitive data on business dealings like mergers and acquisitions or contract negotiations.
The FBI is investigating attacks on prominent law firms, apparently aimed at stealing sensitive data related to business deals, underscoring the risk of third-party data breaches. The Bureau recently issued a Private Industry Notification to law firms about attacks targeting “international law firm information used to facilitate business ventures.”
Most organizations of any size have valuable IT assets that contain data that would be of interest to a motivated adversary or cyber criminal, said Itzik Kotler, the CTO of the firm SafeBreach. Modern storage devices like external hard drives are small and portable and can easily accommodate that amount of data and would have been an easy target for a malicious insider.
However, the sheer amount of data that was apparently taken – 2.5 Terabytes – would have required specialized tools and patience to steal remotely, he said.
Mossack Fonseca has been named in connection with a number of investigations in recent years. Kotler said that the media attention could have attracted the attention of other ideologically or financially motivated hackers.
Still, motivation is difficult to prove. Any firm could potentially find itself in the crosshairs, Kotler said. “Every company has something that someone can sell,” he said.