The legal firm at the centre of the the largest data hack in history has been accused of having been negligent in its duty to protect client data. The firm in question, Mossack Fonseca, based in Panama City, has a high-profile, well-heeled clientele from all corners of the globe. Such clients naturally expect the best in service, not just legal and financial advice but also data security.
Unfortunately, it appears Mossack Fonseca failed to implement industry best practice in safeguarding confidential client data. The firm has admitted that its email server was compromised with a report showing that it was attacked from outside of Panama. Analysts have stated that the company had very low level security which made hacking the email server easier than it should have been. Mossack Fonseca’s website is also said to have poorly protected, prior to the breach and subsequent data leak.
The financial consequences of Mossack Fonseca’s negligence are yet to be calculated but the political backlash as a result of the sensitive nature of their business as well as the profile of its clients has caused major embarrassment. Journalists across the world have found the 11.5 million documents of the 2.6 TB data leak to be a treasure trove of information.
The damage to the reputation of what is the fourth most prominent ‘offshore’ legal firm has been monumental. In an industry in which secrecy is paramount any data leak is disastrous, to have information dating back to the company’s inception in 1977 leaked is a potential death sentence for Mossack Fonseca.
There’s little in the way of sympathy for Mossack Fonseca, they refused to engage in the most basic of security measures. The legal firm had a website that ran on outdated Wordpress software that was riven with vulnerabilities. To make life easier for potential hackers, Mossack Fonseca’s client portal made use of a three-year old version of Drupal that was plagued with 25 known vulnerabilities including being prone to an SQL injection attack.
The firm elected to run its email system on a 2009 version of Microsoft Outlook Web Access. The company refused to encrypt emails, a fact that is both tragic and laughable when one considers the nature of Mossack Fonseca’s business. Clients expect communications with legal practitioners to be confidential, failing to encrypt electronic communications could justifiably be interpreted as a breach of duty.
In summary, Mossack Fonseca’s refusal to ensure that its website was running on the most recent software with the latest security patches; allied with the decision to keep its email system on an unsecured server whilst sending unencrypted emails has caused a lot of bad press and lost business. A reputation that was built up over four decades has been destroyed in a week.
0 comments:
Post a Comment