A proverbial treasure trove of information was released recently in the so-named Panama Papers.
The data dump revealed the wheeling and dealing of some of the world’s wealthiest people, showing how money has been shifted around the world, helping a lot of already-rich people avoid paying taxes.
While it was initially reported that the 2.6TB – made up of over 11 million documents – was leaked, it has since come to light that the office of Mossack Fonseca in Panama was actually hacked. The hacker then spilled the beans to German paper Suddeutsche Zeitung who in turn shared the information with news agencies around the world.
But how did the hacker breach Mossack Fonseca? Well, once you understand how the hack happened, you will start to wonder why the company wasn’t breached earlier, and why the hackers managed to walk away with easily the most important data hack of this generation.
For starters, according to a report by Forbes, the office sent out a notification to members on 1 April that it was investigating a suspected email server breach. It turns out that all email communication at Mossack Fonseca was unencrypted, and was powered by an outdated version of Microsoft’s Outlook Web Access.
Forbes also discovered that the Mossack Fonseca website is powered by a WordPress version that is almost three years old. Any web administrator should know to update to the latest WordPress version as soon as it is released. The version it ran has also been known to contain several unpatched vulnerabilities.
So the website ran an old version, but what about the client-facing portal that members used to log in? It was operating off a three-year-old version of the CMS system Drupal. The version that powered the portal was allegedly 7.23, where the current version at the time of the hack was Drupal 7.32.
“That critical vulnerability may have been open for more than two-and-a-half years on Mossack Fonseca’s site, if it hadn’t been patched at the time without updating website logs. It remains a valid route for hackers to try to get more data from the firm and its customers,” Forbes wrote.
It is technically possible however, that it was updated but not logged in the site’s change-log.
According to WPTavern, the site’s theme is a three-year-old version of Twenty Eleven (1.5), and it also loads a number of outdated scripts and plugins.
The holes in Mossack Fonseca’s systems were so big that the hackers (or hacking team) syphoned off the data from the servers for over a year – if not more – without being noticed.
There’s speculation that if Mossack Fonseca detected the breach, it did nothing about it. But many are leaning towards the notion that the firm had no idea the hack was taking place at all.
“They seem to have been caught in a time warp. If I were a client of theirs I’d be very concerned that they were communicating using such outdated technology,” Professor Alan Woodward, a computer security expert from Surrey University, told WIRED UK.
To make matters worse, it states on the official website that “Your information has never been safer than with Mossack Fonseca’s secure Client Portal.”
Oh, the irony.[Image – CC by 2.0/Michelangelo Carrieri]