Reports started surfacing this week that one of the world’s largest data leaks, being referred to as the Panama Papers, is shedding light on offshore financing of some of the richest and most powerful people around the globe. The leak, which included over 11.5 million files including emails, invoices and bank records, came from Mossack Fonseca, a law firm in Panama that is reportedly one of the world’s biggest creators of shell companies.
As with Snowden, Wikileaks, Sony Pictures and Anat Kam, the initial focus with the Panama Papers is of course on the magnitude and fallout from the leak.
This is especially bad in the conext of Mossack Fonseca, who are facing allegations of aiding financial crimes and handling the finances of accused war criminals and drug traffickers. However the fact that tax havens had the potential do be used by such law-breakers as part of their operations was known by much of the population, with many saying they aren’t surprised to see the 1% were effectively hiding their money from the 99%. Security experts constantly tell you it’s not a case of if you’re breached, but when – Mossack Fonseca, whether an inside job or external attack, shows no-one is immune, even those who are serving the elites with their most sensitive matters.
Tax havens themselves aren’t actually that complex. Simply put, say you’re a billionaire and you’re a UK citizen. For some reason, you may decide that you don’t want to pay the amount of tax the UK government has set for your level of income. If this is the case, you can set up as a company based in a tax haven, such as Panama, which means you then pay the tax rate set in the tax haven, rather than your home state. To put this in context, UK corporation tax is currently at 20% and decreasing, whilst in Panama you’re able to pay as little as 1.17% in tax – that’s a huge difference if you’re earning a lot of money. And it’s completely legal.
The elites have exploited this for years, with several different secretive tecchniques, and continue to do so in spite of sporadic attempts to limit this kind of practice. For example, the US government ruled that tax havens must inform the IRS of how much money they’re holding for US citizens – of course this just meant that US elites began resigning their citizenship to keep the IRS off their backs. While only a few hundred Americans gave up their identity in 2007, more that 2,500 did last year – with the increases in this figure only beginnning in 2010 when the US made this rule.
So what is the security like in these operations?
The amount of e-mails included in the leak has led to many questions being asked as to how this information could be gotten, why emails are such a prime target and how the security of emails can be ensured.
Doing anything at scale these days requires digital coordination and tracking, for good or ill, legal or criminal. Files and emails are the digital records of everything we do. This unstructured data tends to be what companies have the most of and know the least about. In its most recent analysis of risk assessments performed at potential customers, Varonis found more than 25% of shared folders in the average company aren’t locked down at all and are visible to everyone in the company.
David Gibson, VP of Strategy and Market Development for Varonis, comments: “Email servers tend to be one of the largest troves of valuable information. If you were spying on a company, the CEO’s mailbox would be a pretty fantastic place to see what was going on. One of the security challenges with email is that the most valuable mailboxes tend to be the least secured. This is because executives and law-firm partners often have assistants and other people that get access to their mailboxes – some even have banks of admins that all have access for long periods of time. Another security challenge with email is that mailbox activity is rarely logged or analyzed, making it very difficult to spot abuse or theft. Lastly, Microsoft Exchange has “public folders” where a lot of sensitive information can pile up, and a lot of companies don’t pay much attention to securing. If an assistant’s account gets compromised through phishing or password stealing, or if an assistant turns out to be acting maliciously, the contents of the executive’s mailbox can easily be compromised without detection.”
Why don’t we protect files and emails better? We underestimate their value and vulnerability. We forget about them but rarely delete them. The recent spike in ransomware shows us how vulnerable unstructured data can be – ransomware advertises its presence to your end users after it encrypts your files, asking for a few bitcoins, and still organisations struggle to detect it before huge numbers of files are corrupted. Other threats often don’t reveal themselves until much later (if ever) and are far more costly to recover from.
The Guru also heard from Javvad Malik, Security Advocate at AlienVault, who elaborated: “An incident can happen to anyone at anytime, even offshore and secure datacenters can be breached. This demonstrates another breach where a company appeared to be unaware until it hit the news. Highlighting how vital it is to not only have detection and response controls in place, but to act upon it when such an event occurs. The effectiveness of regulatory and legal controls also comes into question. If audits and regulatory oversight was adequate, then the allegations of wrongdoing would have little merit.
“This will likely serve as a reminder that information can be compromised, even when dealing with long-standing organisations. Perhaps it will instil a greater sense of ensuring confidentiality when engaging in sensitive dealings online.”