Much has been made in the news lately of the “Panama Papers” security breach. To summarize, a Panama law firm (Mossack Fonesca) runs shell companies and other dubious tax shelter means for various individuals around the world. Recently, a major security breach of a record-setting 2.6 terabytes’ worth of data showed that the people using said services include many powerful political figures, wealthy individuals, and more. Victims of the fallout so far include Iceland’s prime minister, who’s stepped down.
As for how the security breach occurred, it looks like it might not be through any innovative means. It turns out Mossack Fonesca has had a lax approach to securing its websites. To run down the list of flaws:
- Unencrypted emails run through an outdated, 2009-era version of Microsoft’s Outlook Web Access.
- Their site’s running WordPress version 4.1, which was released in December 2014.
- The site’s theme is a three-year-old version of the Twenty Eleven theme. And the theme is for some reason in a directory named “/twentyten/.”
- The site also has a Drupal installation not updated since version 7.23, released three years ago.
All of the above add up to one big security nightmare.
While there’s a few instances one might need a shell company, nearly all uses of such I’ve seen are for shady or illegal purposes, particularly as tax dodging measures. Thus, I don’t have much empathy for the people busted by this leak. Still, even if you’re a Central American law firm, if you’re running WordPress, it’s important to follow basic security measures. The same goes for Drupal and any other software one’s running. Ignoring security for whatever reason isn’t a wise or frugal choice.
Pixabay photo by StockSnap (CC0 public domain)