Friday, May 13, 2016

Panama Papers data breach is now searchable online



A month ago the sky ripped open for a lot of people who had opted to use offshore companies to hide financial assets in order to avoid paying taxes. The breach came in the form of the Panamanian based law firm, Mossack Fonseca, which found itself out of pocket to the tune of over 11 million documents.


There has been no shortage of high profile individuals who have found themselves in the center of a swirling torrent as a result. One player in particular who profited from an offshore trust was none other than UK Prime Minister, David Cameron.

As a sidebar, I can’t help but to love the irony in this case. Back in 2012 the British comedian Jimmy Carr found himself on the wrong side of a tax avoidance set up. At the time Cameron called out Carr for his behaviour,

From BBC:

Prime Minister David Cameron on Wednesday called Mr Carr's use of the scheme "morally wrong".

But the PM refused to comment on Take That star Gary Barlow's tax affairs - saying it was a different case - after Labour called for his OBE to removed.

The Cameron revelations are just one example in an ever widening net of individuals. These documents were brought to light due to the efforts of the the International Consortium of Investigative Journalists. Now, the ICIJ has released a searchable database of a portion of the documents that were leaked in the data breach. The database contains just a small portion of the overall breach clocking in at 320,000 documents.

As the ICIJ points out in the disclaimer there are actually some legitimate uses for these sorts of companies. Something to keep in mind when searching the database.

From ICIJ:

There are legitimate uses for offshore companies and trusts. We do not intend to suggest or imply that any persons, companies or other entities included in the ICIJ Offshore Leaks Database have broken the law or otherwise acted improperly.

Each time I run a search I’m absolutely amazed at the interconnects. So far I’ve not discovered anything that makes me slump in my chair but, the day is young.

So, how did we get to this point? The data breach has been linked to a person or persons who siphoned off the massive trove of data. The data was then passed to a publication in Germany and ultimately to the ICIJ which worked to coordinate the release of the data amongst numerous media outlets.

There has been all manner of theories as to how this happened. One of the theories that caught my attention was that this may have (take with a grain of salt) as a result of an old Wordpress plugin that was susceptible to remote compromise.

The salacious nature of the data breach notwithstanding we have to wrap our head around the need for better website hygiene. I’ve been tub thumping on this point for a while and, whether or not this is the issue with the Mossack Fonseca, it makes for an excellent learning opportunity. The Mossack Fonseca website had added a robots.txt file to their website soon after the breach made headlines around the world. A little too little to late.

When the barn has already burned to the ground and the horses have fled is categorically not the right time to worry about a your web security. I would recommend that everyone use this data breach story as an opportunity to review your own website security and patch levels before your company ends up as a headline.

No comments:

Post a Comment