Data-leaks have become commonplace, but when the details exposed are about the Queen's offshore accounts and the Russian links to President Donald Trump's top administration officials, the 13.4 million documents entailed become the story, rather than the security issues involved, and that's certainly the case with the Paradise Papers.
As Mark Sangster, VP and Industry Security Strategist eSentire noted in an email to SC Media UK, “No amount of cyber-insurance, data back strategies, nor business continuity planning can ever put this genie back in the bottle.”
We don't actually know how the data was obtained, other than the fact that privileged information being made public suggests it would have likely entailed illegal and highly targeted means. We do know the documents were obtained by the German newspaper Süddeutsche Zeitung which issued a statement saying: "For their protection, Süddeutsche Zeitung does as a general policy not comment on its sources!"
Süddeutsche Zeitung called in the International Consortium of Investigative Journalists (ICIJ) to oversee the investigation. BBC Panorama and the Guardian are among the nearly 100 media groups investigating the papers.
The Paradise Papers comprise more than 1,400GB of data cataloguing the offshore finance details from 1950 to 2016, of many rich and famous, and not so famous people who are mostly not being accused of the crime of tax evasion, but certainly will not welcome attention being drawn to their use of legal tax avoidance, which allows the rich to pay proportionately less tax than the poor. According to a BBC report, some 6.8 million documents come from offshore legal service provider Appleby and corporate services provider Estera; six million documents come from corporate registries in some 19 jurisdictions, mostly in the Caribbean. A smaller amount come from Singapore-based international trust and corporate services provider, Asiaciti Trust.
The justification of public interest will likely allow the use of the material, however it was obtained, and this approach, as with the earlier Panama Papers, suggests future such revelations are likely. And as Sangster also points out, it is legal and accounting firms that are now a particular target for such attacks.
Thomas Fischer, global security advocate, Digital Guardian, emailed SC Media UK to comment, "Putting aside the fact that the leaked financial details appear to include information about the murky world of offshore finance, for the victims, this leak could have life altering or, at the very least, hugely distressing effects. Ultimately, the breach could trigger serious legal repercussions against Appleby. Data protection should be of the utmost importance in these businesses and yet we have seen a growing number of data breaches in law firms in recent times.
“This latest case reinforces the need for “data aware” security technologies in the legal sector. If Appleby had such technologies in place, it could have prevented its most sensitive data from being copied, moved or deleted without approval or permission. Companies must learn from incidents like this and apply the right methods of protection to their IT environment, with the ability to apply security at the data-level being at the core.”
Sangster adds, “The parallels of Paradise Papers to last year's Panama Papers breach are obvious, however beyond the shock factor of the leaked data itself, what's more alarming is the depth and magnitude of this breach. Law and accounting firms should raise the alarm when it comes to their firm's cyber-security rigor.
“Panama Papers may have been opportunistic; however it laid a blueprint for these kinds of attacks. It has shone a spotlight on tax operations in the Caribbean, and while the mechanics of the breach itself have yet to be revealed, this was clearly a targeted attack. Appleby took appropriate response steps in notifying their clients, but you can't insure this. This class of events demonstrates why law firms must protect their clients' confidential information. No amount of cyber insurance, data back strategies, nor business continuity planning can ever put this genie back in the bottle.
“Law and accounting firms are particularly susceptible to ethical hacking and really, every firm should assume they'll be breached, because they will be breached. These firms house a treasure trove of sensitive data that when compromised can result in sometimes irrecoverable damage. This attack will have far-reaching impacts for those affected.”