December 6, 2021

For legal, more pitfalls than praise in Panama Papers ‘Ethical hacking’

Pin It


By Ricci Dipshan, From Legaltech News

Deemed the biggest breach in history, the Panama Papers shines a spotlight on the rise of many law firms’ unpreparedness and susceptibility to ethical hacking

The Panama Papers leak landed with a bang — 2.6 terabytes, 11.5 million internal documents, and almost 40 years of confidential client information. Deemed the largest breach in history, the disclosure implicated scores of public figures, including politicians from Vladmir Putin to the now former prime minster of Iceland, Sigmundur Davíð Gunnlaugsson.
But beneath the uncovering of corruption, tax evasion, and the dark hinterlands of the global economy, was the uncovering of yet another disclosure, one that like offshore banking is widely assumed, but usually unseen — the breach of a law firm.
The firm at the center of the leak was Mossack Fonseca Group, founded in 1977 in Panama by Jürgen Mossack. German daily Süddeutsche Zeitung, which received the breached documents last year and analyzed them in conjunction with the U.S-based International Consortium of Investigative Journalists, described the firm as one “selling anonymous shell companies for almost 40 years,” with ties to a host of disreputable figures from suspected Al Qaida supporters to Chinese political elites, corrupt FIFA officials, and at least one Mexican drug lord.
While the breach of the firms’ data was illegal, the disclosure of the information has been met with acclaim from many in the government, media and legal spheres decrying the iniquities of offshore banking.
“So-called ‘ethical hacking’ is a fact today,” noted Jason Maloni, who leads the privacy and data security team at global strategic communications firm LEVICK. “Right now, the bad guy isn’t the entity that hacked Mossack Fonseca. The bad guys are those who sought to hide money from taxation.”
“Even if it is done legally, the web of connections have already resulted in the resignation of one senior leader. We have not seen the last of the fallout from this act. Every story is Shakespearean, and the public has a visceral need to identify the good guys and bad guys and, right now, we’re only beginning to understand the actors in this tragedy,” he added.
Legal actors, however, may just be now coming to terms with the extent of the hazard and infamy that go along with representing certain clients.
“Any organization whose business model is predicated on secrecy, discretion and confidentiality, and who enjoys a reputation of providing those services to high net worth individuals, some of whom may be more controversial than others, is eventually going to attract negative attention,” noted Scott Moritz, managing director and head of Protiviti’s fraud risk management practice.
“Whether it is the hacking of celebrities’ smart phones, intrusions of media companies resulting in the disclosure of the proprietary economics of movies and talent compensation… or the detailed personal data and biometrics of federal employees and contractors seeking to obtain security clearances, the more sensitive the data, the more prized that data is both in terms of bragging rights and the more pragmatic amount of money the people who obtained it stand to gain by selling it to the highest bidder,” he added.
And while the breach of Mossack Fonseca’s files was unparalleled, the firm is far from the only one representing targeted clients.
“There are many organizations whose whole function is to assist high net worth individuals to establish personal investment companies, trusts, holding companies and various other legal entities in jurisdictions that are opaque to assist wealthy individuals to implement various tax strategies designed to reduce their taxable income,” Moritz said.
The Ease of Access
Beyond the ethics of the disclosures, however, is the cold hard fact of a breach as unprecedented for its all-encompassing scale and as it is for its content — a reality that speaks to what Maloni sees as the legal industry’s vulnerability and lethargy in face of modern cyberattacks.
“I’ve heard reports that as many as 80 percent of the top firms in the world have been breached in recent years. That number wouldn’t surprise me in the least,” he said.
Maloni called the Panama Papers breach “a watershed moment for law firms. It’s their Target or Sony. As a result, there will greater pressure on law firms and greater demand by clients to maintain a high standard of security and disclosure when bad things happen.”
“I expect many firms appreciate the damage that can be done by having unflattering emails revealed. But are they acting on this information? Are they testing firm personnel by lobbing in fake spear phishing attacks? Are they educating everyone about social engineering? Are they doing tabletop exercises themselves? Are they taking a worst case scenario approach and understanding the actions they’d take if their files were open to the world? Probably not.”
“Every firm should assume they’ll be breached, because they will be breached,” added Mark Sangster, vice president and industry security strategist at eSentire. “Regardless of size, all firms present a treasure trove of sensitive client and financial data, which when compromised, can result in catastrophic consequences. Even large law firms with layers of cybersecurity defenses in place are at risk. Mossack Foenseca now claims that this data leak is linked to a year-old breach incident. Clearly, the breach was successful, thanks to a sophisticated attack, which was likely successful because the firm’s cybersecurity defenses were unable to detect it.”
Unforeseen Consequences
In a statement posted on its website, Mossack Fonseca addressed allegations of any wrongdoing, noting that they “provide company incorporation and related administrative services that are widely available and commonly used worldwide,” and that the firm is ”legally and practically limited in our ability to regulate the use of companies we incorporate or to which we provide other services. We are not involved in managing our clients’ companies.”
In a statement posted on The Guardian, the law firm also said that the instances of wrongdoing cited by media reporting “represent a fraction – less than one percent – of the approximately 300,000 companies that Mossack Fonseca has incorporated in its over 40 years in operation. This fact shows that the vast majority of our clients use companies we incorporate for legitimate uses and that our due diligence and compliance procedures are overwhelmingly successful in thwarting those who have other intentions.”
While the Panama Papers coverage may only focus on a portion of the hundreds of thousands of Mossack Fonseca’s clients, the breach of information spanning almost entirely of firm existence means that the repercussions of the cyberattack will be far larger than is publically reported.
“It’s important to keep in mind that the law firm’s obligations are only part of the picture—under most notification laws, if a law firm suffers a breach of client data, the law firm will have notification obligations to its clients, but the clients will have the ultimate obligation to notify the individuals whose information was compromised,” said Jeffrey Sharer, data law practice co-chair at Akerman.
Broader repercussions for a firms’ lesser known clients became a reality in the famous hacktivist breach in 2012 of the now defunct law firm Puckett & Faraj. The hackers targeted information on former staff sergeant Frank Wuterich, a key figure in the controversial Hadith killings in Iraq in 2005, but released the firms’ emails, en masse, exposing confidential information of Puckett & Faraj’s many other clients.
The “Soft Underbelly”
The loss of client confidentiality has become more prevalent since “cybercriminals began to look for the soft underbelly – those who did business with such companies and had authorized access to their data,” said Martin Tully, also a data law practice co-chair at Akerman.
“Hackers realized that the law, accounting, and consulting firms that worked with companies on proposed mergers or acquisitions had in their custody significant amounts of non-public information about proposed transactions, but in a less secure environment. These firms often also possess intellectual property, trade secrets, personally identifiable information (PII), personal health information (PHI), and other protected data obtained from the clients they work with. Compounding matters, some of these firms keep lots of client information much too long, further adding to their appeal as targets”, he added.
This new reality was front and center with the recent revelation that that hackers gained access to the computer networks of law firms working on M&A deals, including Cravath, Swaine & Moore and Weil, Gotshal & Manges. A Weil spokesperson declined to comment, but Cravath confirmed that the firm identified a “limited breach of its IT systems,” according to The American Laywer.
A cybercriminal that went by the moniker “Oleras,” who previously targeted dozens of M&A law firms, was also recently discovered soliciting other hackers in an effort to breach 48 law firms.
“Less than 24 hours after that announcement,” of the breaches at M&A firms, noted Tulley, “ a prominent plaintiffs’ law firm announced plans to bring class actions against the implicated law firms for malpractice and breach of contract.”
While it is too soon to tell whether Mossack Fonseca will face similar repercussions, Maloni believes that “the true recourse Mossack Fonseca should fear is clients take their business elsewhere. It’s a sign every law firm in the world should heed.”

For more on this story go to:

Print Friendly, PDF & Email
About ieyenews

Speak Your Mind