In early April 2016 a Panamanian law firm experienced the biggest information leak in history when 2.6 terabytes of confidential data made its way into the world. (That’s 11 times the size of the Sony hack and 1,530 times the size of the Wikileaks diplomatic cable leak.)
Nobody knows exactly how it came about (apart from the person who leaked it), but the firm had a few simple IT security vulnerabilities that could have allowed it to happen. And it might be that you share similar vulnerabilities that someone could take advantage of.
Of course, we’re not for a moment saying you’re dealing in anything as controversial as the leak. But you might be unaware of just how interesting your data could be to others and what they could use it for. You need to secure any files you think someone could exploit.
Theories on how it happened
The consensus is that Mossack Fonseca, the firm at the centre of the leak, has incredibly lax IT security. Wired reports that:
- they had not updated their Outlook Web Access login in seven years
- they had not updated their client portal in three years – which used software with known vulnerabilities
- their website software was three months’ out of date.
Wordfence also discovered that Mossack Fonseca’s website used an out of date version of a third-party plugin with a major security vulnerability.
That’s bad enough, but the website was also on the same server as the firm’s emails. Exploiting the website could give someone access to the emails. As Gizmodo puts it, that’s like “keeping all your money in a single checking account and having your PIN be 1-2-3-4”.
All of this could lead to confidential information being compromised.
What you can learn from this
1. Keep your systems up-to-date.
No system is perfect. A system may not have any known vulnerabilities when you get it, but people are constantly trying to find and exploit flaws. Software companies release patches to update them, but you need to make sure you put those patches in place. This includes your website and any plugins that power it.
External access is often essential, but always carries some degree of risk. Limit this risk by limiting who has access. Ensure they use secure passwords. Only give external access to information that really requires it. Regularly review who has access and how they use it.
3. Use multi-factor authentication.
Multi-factor authentication means you can only access your system after you’ve provided more than one type of evidence that you are who you say you are. For example, to access your webmail you might need to provide both a password and a code that gets sent to your phone.
Hackers have the time and means to study and exploit what you put out in public. If they exploit what you’ve got out there, don’t give them the opportunity to get any further. (Most companies already have their websites hosted by a completely separate third party, so this isn’t an issue. But do be sure to check, particularly if your website plugs in to any of your other systems.)
Get our advice
Our Security Team can assess your existing set-up. They can recommend how you can keep your information from getting into the wrong hands. They can give an “attackers eye view” with an external security scan that will pick up any exposed security flaws in your servers and your website.
Get in touch to talk about your options. It’s a small bit of effort to save you a lot of trouble later on.