Everything you ever wanted to know about security policy management, and much more.
There has, unsurprisingly, been a vast amount of speculation as to the origins of the Panama Papers data leak. Initially it was thought to be an insider job, however a partner at Mossack Fonseca has now claimed they were the victim of hack, specifically a ‘spear phishing’ email attack.
So far, so ordinary. Spear phishing attacks take place every day, across every sector. Staff training and awareness can go a long way towards limiting their success, but the attackers are getting more sophisticated all the time. Only this month, employees at the BBC received spear phishing emails that were so personalized that they included their recipients’ home addresses.
Laying the blame
We’re not, therefore, going to berate an employee at Mossack Fonseca for falling victim to what was potentially an extremely sophisticated and personal form of attack, no matter how senior they were. It happens. It’s what appears to have happened next that should serve as a warning for every organization.
As eWeek commented, the volumes of data that have been extracted from Mossack Fonseca are truly enormous, and extremely varied. The article points out that even if someone walked through the doors of the law firm with a portable hard drive and started copying files, transferring this amount of information would have taken hours. Transferring it surreptitiously over the internet would have taken weeks or more.
The fact that this was possible, seemingly without anybody noticing, via a single point of access into the corporate network, suggests that the company hadn’t followed some simple best practice security guidelines and this case should serve as a warning to other businesses to ensure they are following them.
What was missing?
Of course, not every corporate data leak hits the world’s headlines and unseats heads of government. But the Mossack Fonseca attack has clear lessons for all organizations – whatever their business.
Receive notifications of new posts by email.