Giving a sweeping view of how the ultra-wealthy use tax havens (amongst other things), 11.5 million documents have been leaked from a Panamanian law firm, pertaining to offshore accounts linked to over 12 current and former heads of state.
Those exposed include Russian Premier Vladimir Putin, Syrian President Bashar al-Assad, Chinese President Xi Jinping, Saudi Arabia’s King Salman, Icelandic Prime Minister Sigmundur David Gunnlaugson and Argentine President Mauricio Macri, among others.
The documents reveal that the firm, Mossack Fonseca, supposedly helped its clients launder money, commit fraud on a global scale, dodge international sanctions and, most commonly, use offshore interests to evade taxes in their home countries through methods both legal and illegal. For its part, the company told the BBC that it has operated beyond reproach for 40 years and has never been charged with criminal wrong-doing.
For our purposes at Infosecurity, it’s notable that this leak, dubbed the Panama Papers, is huge: It’s larger than the US diplomatic cables released by WikiLeaks in 2010, and it’s bigger than the Edward Snowden leak in 2013. It perhaps the largest leak of confidential information that the media has ever gained access to, bigger even than the Pentagon Papers (which occupies 48 boxes and 7,000+ pages of paper).
In total, there are 11.5 million documents and 2.6 terabytes of information drawn from Mossack Fonseca’s internal database, detailing day-to-day operations during the last 40 years, mostly having to do with the world’s most powerful people.
"Though the full political and legal ramifications of the leaked Panama Papers remains to be seen, the security implications are evident,” said Vishal Gupta, CEO of DRM provider Seclore, in an email. “Mossak Fonseca, a company known for its secretive business practices, has now become a poster child for the shortcomings of widely relied upon security solutions. While the exact method of data retrieval used in this case hasn’t been revealed, the fact of the matter is the data is out. Unless data-centric security solutions capable of persistently controlling use of documents are in place, there is very little likelihood Mossak Fonseca, or any data breach victim, can remediate the damage done from this incident."
The leak was made to German newspaper Sueddeutsche Zeitung, which then shared the files with the International Consortium of Investigative Journalists (ICIJ). The source of the leak is thus far unidentified.
The activities show the range of options open to the ultra-wealthy when it comes to the shadowy world of wealth preservation. The BBC reported that the papers detail that Gunnlaugson had an undeclared interest linked to his wife's wealth (probably not legal); and that they expose a suspected money laundering ring involving close associates of Putin (definitely not legal).
The Guardian also uncovered details pertaining to Putin in its analysis of what it says is a $2 billion money trail: “The Russian president’s best friend—a cellist called Sergei Roldugin—is at the centre of a scheme in which money from Russian state banks is hidden offshore. Some of it ends up in a ski resort where in 2013 Putin’s daughter Katerina got married.”
The ICIJ also said that the law firm’s customers include “dozens blacklisted by US authorities because of evidence they’d been involved in wrongdoing, such as doing business with drug lords, terrorist organizations or rogue nations like Syria and North Korea.”
Even UK PM David Cameron is implicated by association. The papers show that his father has made use of offshore tax havens to great effect. An offshore investment fund avoided ever having to pay tax in Britain by hiring Bahamas residents as “employees” to sign its paperwork. It’s all perfectly legal: The fund has been registered with HM Revenue and Customs since its inception and has filed detailed tax returns every year, according to the Guardian. But, some say it’s a bit unseemly for the head of state’s closest family member to be squirreling public funds out of the country in the name of self-interest.
One of the world leaders not implicated, French President Francois Hollande, hailed the "good revelations" which would "increase tax revenues from those who commit fraud.”
The responsible party has not come forward, leading some to wonder about the motivations behind the leak. Was it a vendetta? Anarchistic hacktivists? Principled finance reform types? Or was it simple whistleblowing? While outside hacking could be to blame, there is, of course, the real possibility that the breach is a result of an insider threat.
“It’s no secret that law firms are privy to data on the most sensitive fields and subjects—politics, finance and business transactions—just to name a few,” said Ari Juels, professor at the Jacobs Technion-Cornell Institute and member of the Cornell Tech Security Group, via email. “The Panama Papers leak appears to show just how critical it is that firms safeguard their information, not just from external forces, but also from inside adversaries.”
He added, “Cybersecurity conversations often focus on perimeter security and hacking, but this incident, like the Snowden leaks, reminds us that insider attacks are just as prevalent and often technically more difficult to address. In general, it’s difficult to create systems and policies that strike an appropriate balance between enablement of legitimate whistleblowing and protection against outright theft of data."
Cybersecurity expert Philip Lieberman, president and CEO of Lieberman Software, said in a lengthy note to media that the situation brings up the important issue of liability.
“Outside the USA there has been little interest by foreign law firms in investing in cybersecurity and for mounting competent cyber-defense capabilities,” he said. “This fact is of great value to many criminal and nation-state activities in the exploitation of weak security within law firms.”
He added, “The implications of law firm breaches are mind boggling since parties within lawsuits provide full disclosure of their chosen law firms as a matter of public record. It is a simple step for a criminal to move on to attacking an appropriate law firm to harvest their files. For a criminal this could mean the ability to manipulate stocks, access the personal records of principals within the companies and provide a way to blackmail persons based on information not publicly known.”
In the case of foreign or illegal transactions, the files of law firms may contain account numbers, PIN codes, passwords and other elements of accounts that may be exploited by an attacker, he noted.