Knocked into a cocked (Panama) hat

11 04 2016

Unless you’ve been living under a rock for the past week you can’t have failed to be aware of the ‘Panama Papers’. 2.6Tb of data, 11.5m documents, 30,000 lorries worth if you printed then out and so on and so forth.

Information relating to offshore companies, tax avoidance and (possibly) tax evasion, dodgy art deals, alleged money laundering activities, corrupt country leaders and multi millionaires.

So what has this to do with my reader base? Well unless you’ve been keeping something from me and you’re actually an international bad guy, up there with Scaramanga and Blofeld, not a lot on the face of it.

But, let’s just take a step back and look at this from a slightly different angle.

Here we have a law firm, Mossack Fonseca, who prided themselves on guaranteeing confidentiality, indeed on their web site under data security they say “Your information has never been safer than with Mossack Fonseca’s secure Client Portal”. The people they dealt with chose them because they didn’t want their activities to be under public scrutiny, they designed company structures to be obscure and obtuse, everything was geared towards secrecy.

And yet, based on reviews carried out by various security firms, they were running software that was not only out of date, but which had well publicised (and exploited) vulnerabilities. Their servers were not protected by firewalls, the secret data was unencrypted, and it appears their monitoring was so poor (or maybe non-existent) that they failed to notice the exfiltration of vast amounts of data over many months.

So, just to repeat, this company existed in a world where secrecy and confidentiality was everything. Where their customers made fundamental assumptions that their activities would remain hidden from public gaze, and that they could trust their lawyers to protect their interests at all times.

Despite all of that, this organisation appears to have disregarded pretty much every rule of information security.

So if a firm operating in that environment could be so bad at looking after their customer’s data, what about the thousands of other companies with an internet presence who are holding YOUR data. The small (and not so small) organisations you share your details with on a daily basis, the ones you order from online, send emails to with personal details included, upload files of photos, documents or whatever. How confident can you be that they are any better prepared than Mossack Fonseca?

And that’s why this story is relevant to my readers. Poor information security practices are endemic across all industries and all sizes of organisation. We put up with it because we are not big enough to make the difference on our own, and not rich enough to organise the campaigns necessary to force changes through.

Mossack Fonseca is the 4th biggest player in this field, you can bet the clients of numbers 1,2 and 3 have been asking some very pointed questions over the past few days.

Maybe, just maybe, the exposure of the personal details of the richest, most powerful (and let’s be honest, most scary) people on the planet might be the trigger that pushes achieving real information security to the forefront of the thinking of governments and other influential bodies. Could this incident be the tipping point that’s always eluded us, because as sure as eggs are eggs the hundreds of millions of personal records of ‘ordinary’ people that have been leaked over the past year were not seen as important enough.

Fingers crossed.

David

 

Advertisements

Actions

Information

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s




%d bloggers like this: