Panama Papers data leak: Industry reaction

Yesterday, news broke of one of the largest and most controversial data breaches in history.

Around eleven million confidential documents from the notoriously secretive company Mossack Fonseca were leaked online, revealing the shady world of money laundering and tax avoidance amongst the world's rich and powerful.

Various industry professionals have now had their say on probably the biggest security scandal of the year so far, that has swept up professional athletes, government officials and multiple heads of state.

Mark Sangster, VP of Marketing at eSentire:

"The Panama Papers breach represents a new security threat-scape. Insider threat is a growing concern. We’re seeing many cases of insider data breaches that involve leaking sensitive data for front running trades or more malicious intent. In this case, seemingly one individual got his or her hands on a massive collection of files spanning four decades. If this holds true, this extreme case of an apparent insider threat will result in catastrophic consequences for Mossack Fonseca.

"As with last week’s multi-law firm breach case, the elephant in the room is the target on law firms’ backs. Until now, the legal industry has generally operated within a loose set of cyber security guidelines. However quickly, we expect to see hardline compliance rules and fines come to firms with sub-standard cyber security defenses in the future."

Dodi Glenn, VP of Cyber Security at PC Pitstop:

"Given the bits of information we’ve already seen, I suspect many people will be caught in a lot of turmoil in the near future, as the documents are further analysed and more information is disclosed to the public. It’ll be interesting to see how many individuals come forward, admit they were caught, and resign from their positions.

"From a security standpoint, the amount of content leaked seems to dwarf Wikileaks’ Cablegate from 2010, but it’s hard to say at this point how the data was taken – whether it was an insider, a phishing attack, or malware. Long story short, if you want to keep something confidential, don't put it on a computer specifically one connected to the Internet. The very second you do that, you can assume the data can be purloined."

Rajiv Gupta, CEO and founder of Skyhigh Networks:

“Political scandal, first through Edward Snowden and now through the Panama Papers hack, has followed bank robbery and espionage into the digital age. Only with online tools could a whistleblower hope to make off with 2.6 terabytes accounting for 11.5 million documents, and could journalists rely on powerful collaboration software to analyse the information.

“On the business side, this data breach should be a wake-up call to all industries: Hackers are not just after social security, health insurance, and credit card numbers. Determined attackers follow ideological, political, and financial motives. Organisations need to assume all sensitive information — from private transactions to personal communication to intellectual property — is a target.

“Organisations will need to start factoring cybersecurity capabilities into their vendor evaluation. The theft of client data draws awareness to the exposure organisations face from their business partners, especially those with access to large amounts of confidential information."

Bruce Jubb, head of UK, WALLIX:

“It’s clear the Mossack Fonseca whistleblower gained the highest access privileges and was able to leak information undetected for many months. There’s no doubt that data breaches are now a board level issue. Senior management in organisations all around the globe should be scrambling to assess whether they have the right policies and measures in place to stop a malicious data leak happening to them.

"Motives can be very hard to spot and impossible to guess – unless you understand the signs that presage an insider attack. In the majority of cases there are clear behavioural warning signs that are observable prior to an attack taking place. These can include absenteeism, arguments with co-workers and poor performance. IT department can play a major part in protecting organisations but a truly effective strategy requires a holistic approach involving management and the workforce itself.

"What companies have more immediate control over are the means and the opportunity. Careful attention needs to be paid to what access to information staff have, especially those traditionally given elevated access, such as the IT administrators, system administrators or “super users”. These credentials give the user access to the most critical data and indeed infrastructures.

"Protecting these log-ins should be the top priority for CIOs and risk managers everywhere, but too often these log-ins are granted on an ad-hoc basis and then shared around, making it almost impossible to trace the source of a leak. No technology is impregnable. No policy is foolproof. But at least companies should be in possession of a clear audit trail if things do go wrong.”

Zak Maples, Senior Security Consultant, MWR InfoSecurity:

"Whilst this breach has been given the title as the largest data leak in history, this can be somewhat misleading. It has been reported to be the largest due to the size of the data leaked. However, there are numerous different ways to measure how big a data breach is, in both tangible and intangible ways. For example, is the largest data breach one which involves the most number of individual people? The one with the largest amount of data stolen? Or one in which there is the most impact?

"Whilst this is uncertain, one thing that is clear is that data breaches are becoming an all too common trend that are often causing irreparable brand and reputational damage to the businesses involved. This proves that businesses need to take cyber security seriously as a business problem and not just an IT problem."

Image source: Flikr/Фото Москвы Moscow-Live.ru