Panama papers: how much of an insider job?

Last week I was asked by Wired UK to comment on the Panama Papers. Specifically, given how out of date security measures on the Mossack Fonseca (MosFon) website looked, how might the data have escaped?

The story that was published gave an extensive overview of security problems, many more than I would have been able to spot myself, with comments from an impressive list of experts.

My quote in this:

We do know that it was a lot of data, and that it came out gradually. This points at an insider with enough access privileges to get to see all the data, but not enough privileges to be able to copy it all quickly to one disc

sounds a bit at odds with what some of my colleagues said. It’s clear from further discussions that nobody is really sure at this point anyway. I’d like to clarify my reasoning a bit further.

Mossack Fonseca itself told customers that it was an attack on their email servers. This is what ended up reported in El Espanol and subsequently The Register, but neither have details (e.g. was it really an attack on the server, or a phishing attack on staff via email?). The best source I’ve found for what happened is an article in Sueddeutsche Zeitung (SDZ). Particularly from the telling line “Mossack Fonseca created a folder for each shell firm” I would say an attack on any emails going in/out of MosFon is unlikely to have been the direct cause of the leak. Those MosFon created folders, nor any predictable or comprehensive amounts of info from them, wouldn’t naturally appear in emails. The SDZ article and other reports contain no indication that the journalists have had to deal with scatty information or incomplete files. So what SDZ got was likely complete folders. Otherwise, the report on processing the files would likely have included a huge sorting step at the start.

My overall line on the bad external security of MosFon would be a general judgement on their security measures, along the lines of “If they didn’t even X, then they certainly wouldn’t have Y” – with many basic security issues X described in the Wired article, and Y things like Data Loss Prevention and other methods of discovery of access anomalies. Or in a double-bluff scenario (and here comes the quoted bit), there might have been an insider who knew enough to stay under the radar of any DLP. I still don’t have a better explanation for the files coming out over a long period – files grabbed from emails would have been incomplete, but the total volume would have fitted a single cheap harddisc, so no reason to do it slowly especially when it was risky. A random hacker accidentally finding the security holes wouldn’t have taken the risks.

Note also that any gradual attack, (starting via email servers or insecure web services or phishing, and then escalating privileges), should also have been caught by DLP etc in the final stage. From that perspective, the exfiltration phase should have looked like an insider attack!

A final wild explanation, which shouldn’t make it into a publication as reputable as Wired, is that the different branches of MosFon used some not-quite-secure cloud system to transfer entire customer files between the sites. This would explain gradual appearance of entire files. Maybe even emailing (unencrypted!) of complete customer files between their different offices, to contradict what I said earlier! But any of this would also imply holes in journalists’ info for stories on networks of connected shell companies. So maybe not.