On November 5, 2017, a set of 13.4 million highly confidential documents representing 1.4 terabytes of data were leaked to the public. Dubbed the Paradise Papers, these documents detailed secret offshore financial transactions conducted by 120,000 individuals and organizations that was similar to the release of the “Panama Papers” in 2016.
While the contents of these documents are being analyzed by the media, the fact of their existence in the public domain highlights yet again the precarious state of data security.
And while all industries are at risk of criminal data theft, it’s clear that law firms are becoming a particularly vulnerable target, as they represent a potential goldmine of highly sensitive — and potentially lucrative — information.
So, how did the Paradise Papers hack happen?
Paradise Papers Hack: What Happened and What Can We Learn?
The exact mechanics of the breach aren’t yet clear. But it’s worthwhile understanding the background and the setting for this incident so that we can place it in context within the greater topic of data security and see what lessons businesses can learn.
At the centre of the Paradise Papers leak lies the international law firm Appleby. As a major player in providing offshore financial services for wealthy clientele, Appleby exists in a murky world of holding companies, trusts, and tax havens that depends upon attracting as little attention to itself as possible.
Confidentiality is a key selling feature for which clients pay handsomely. As most people are unaware that these types of mechanisms exist, the leak has served to shine a light into corners where it’s definitely unwelcome.
In October 2017, German newspaper Süddeutsche Zeitung came into possession of the 13.4 million documents, determining they had apparently been stolen from Appleby and other entities. In turn, the news outlet handed them over to the International Consortium of Investigative Journalists (ICIJ), which oversaw the documents’ release to the public.
The leaked documents instantly generated an enormous amount of media attention, as they brought to light the financial transactions that celebrities, wealthy business people, heads of state, and corporations use to shield themselves from tax obligations — to the tune of $10 trillion.
What do we Know About The Data Leak?
Very little. Because of the obvious desire to maintain secrecy, the affected parties are keen to avoid disclosing details. Therefore, it’s difficult to know the exact hows and whys of this event.
But we can piece together some information.
In a published statement, Appleby claimed that they had been the victims of a recent criminal data breach, although some believe the hack occurred long before it became public.
“This was an illegal computer hack. Our systems were accessed by an intruder who deployed the tactics of a professional hacker and covered his/her tracks to the extent that a forensic investigation by a leading international Cyber & Threats team concluded that there was no definitive evidence that any data had left our systems,” read the statement.
Appleby claims that it is not the sole source of the 13.4 million documents. Instead, they suggest in their statement that only 7 million of the documents were extracted from their networks. Süddeutsche Zeitung corroborates this, saying the data comes from “Appleby, Asiaciti Trust, and from the company registers of 19 tax havens.” However, they also say that they are unable to state unequivocally that the data is the result of an illegal hack.
So at the moment, while it seems likely, we don’t know for certain whether this was an actual data hack as opposed to a deliberate leak from within. Either way, it speaks volumes about the state of data security, particularly when it comes to law firms.
Does This Suggest Law Firms Are Particularly Vulnerable To Data Theft?
In a word, yes.
According to an article published in Forbes,
“The FBI began warning firms that they were specifically being targeted by organized cyber criminals as early as 2009, and in 2011 invited 200 of the largest law firms to discuss the rise in sophisticated cyber-attacks targeted at law firms. Part of the reason for this is that law firms often present an easier target than some of their clients; if a hacker wants to steal sensitive information from a company, he may have better luck going after that company’s outside counsel.”
Not only are law firms becoming a more appetizing target and, therefore, at a greater risk of having their systems compromised, but 40% of law firms who suffered data losses in 2016 apparently didn’t even know they had been breached.
What Does This Say About Data Security in 2017?
Data security best practices are well-known. Managed IT companies routinely provide security assessments and planning to businesses to help protect their valuable data. A host of security consulting services are on hand to help prevent losses.
Yet despite the high awareness surrounding cyber threats, what is starting to become evident is that the motivations driving data theft have evolved beyond simple financial gain.
As the Paradise Papers hack shows, and as law firms are learning, sophisticated and well-equipped entities can also target businesses for ideological reasons, or merely to be disruptive.
Therefore, as would-be data thieves have an untold number of ways to access your critical data, they also have different reasons to covet it. Understanding why and to whom your data is considered valuable is becoming just as important as knowing how it’s targeted.
Even though your business may not have potentially embarrassing information about notable public figures, it’s still vitally important to recognize that all of your data may hold value to criminals — whether it’s to steal, exploit, or destroy it.
Prevention is still the most effective way to protect your data. Assessing your vulnerabilities from all angles will go a long way toward ensuring that you don’t fall victim to data theft. With that knowledge in hand, you can ultimately do a better job protecting your business.
PCM Canada is a leading provider of Managed IT services for mid-size and enterprise businesses. Contact us to learn how we can help your company overcome technology challenges so you can meet your business goals.