Mossack Fonseca Little Mistake and it's Big Impact

Mossack Fonseca Little Mistake and it's Big Impact

Information security is a big business in any part of the world. In the United States alone we are expected to spend $86.4 billion protecting the data, and this number is expected to go up each year. So why is information security so important to business? One way we can answer this question is by looking at a company that failed to protect their database and what consequences followed. Mossack Fonseca is a perfect example. Due to simple software patches that were not completed, a hacker was able to get their hands on 2.6 terabits of data and release 11.5 million financial and legal records.

Mossack Fonseca, a firm that is based in Panama, was the fourth most prominent law firm in the world. It focused on offshore financial services. Before this significant document breach in 2016, the company was able to keep its clients’ identity secret. In 2016 the company secrets were released by a German newspaper. When the German newspaper received an anonymous email by a hacker claiming he had compelling information about Mossack Fonseca, the newspaper joined forces with the International Consortium of Investigative Journalists to review its documents. A year later, the newspaper released the evidence showing that specific powerful, famous and rich individuals were avoiding paying taxes by offshoring their funds to small shell companies

So how was the anonymous hacker able to get private information from the Mossack Fonseca database? According to the checkmarx blog, Mossack Fonseca had multiple flaws that allowed a hacker to capture private client information. The first mistake that the company made was not encrypting their emails. The unencrypted emails enabled hackers to read the content of an email easily. Another big mistake that the Mossack Fonseca had was not keeping up with WordPress and Drupal plugins updates. According to the CEO of WordPress and Drupal, the Mossack Fonseca used at least a three-year-old version that contained several known vulnerabilities.

This incident led to severe consequences for the company and its clients. Days after the news hit the streets, protests started to break out in different parts of the country. The company faced a lawsuit, and later fines. Mossack Fonseca lost public respect, and some employees lost their jobs. The 11.5 million documents being released to the public could have been prevented if the IT department had run monthly updates for the plugins.

From this incident, we as IT professions can take away two things. The first is to encrypt files. This is a simple way to add a level of security to data. The second is to never underestimate plugins’ updates. There are several security scanner softwares available on the market that will scan the plugins for known vulnerabilities. After the vulnerabilities are located, the IT professional is able to take the necessary actions to avoid incidents such as the one that happened to Mossack Fonseca. The simple steps of encrypting emails and files and running software and fixing the plugins could have saved much money and embarrassment for this company.