There’s still much to be learned about the unauthorized release of the so-called Panama Papers, the documents exposing the financial interests of prominent world figures in offshore tax havens. What we know so far is that the release represents the single largest leak of data in history, totaling 2.6 terabytes of information—more than 11 million documents—and surpassing the next largest leak by an order of magnitude. We know that the origin of the information is Mossack Fonseca, a Panamanian law firm that specializes in legal, trust, intellectual property, and wealth management services. And, we know that the information contained within the Panama Papers is already having a major effect on international politics. Beyond the resignation of the prime minister of Iceland due to allegations stemming from the leaked information, for example, some Chinese news sources are decrying the papers as a western conspiracy. Additionally, it remains to be seen how implications of links to Presidents Vladimir Putin and Xi Jinping will affect the domestic situations within Russia and China.
What we don’t know is how this massive trove of information got out of Mossack Fonseca in the first place. Initial reports from the media claimed that a whistleblower, by implication someone inside the company, reached out to a reporter from the German newspaper Suddeutsche Zeitung. Yesterday, a partner in the firm, Ramon Fonseca said the company was the victim of a hack and not an insider. It is unclear at this point exactly how the information was sent to the German reporter—the reporter will only say that a source contacted him through encrypted chat—or how the insider gained access to it in the first place. It wouldn’t be the first time a company suffered a major leak due to hacker activity however, it would also be in Mossack Fonseca’s interest to avoid being seen as having an insider threat problem.
Recent history has provided a wealth of examples of how a leak from either an insider or an outsider could have played out. For insiders, we can look to the massive data leaks caused by Army Private Chelsea Manning and NSA contractor Edward Snowden. Both individuals were ostensibly motivated to release confidential information by a perception of misconduct on the part of the federal government. The level of trust and access placed in them made it possible for them to extract large volumes of information, which were then passed on to media outlets. Their stated goal was to effect policy changes by increasing transparency – a goal that could very well have been the case if the Mossack Fonseca leaker was a whistleblower.
For outsiders, we can examine the breach of Hacking Team’s networks for insights into the methods and motivations of a possible hacker. Hacking Team was an Italian firm that specialized in creating malware for law enforcement and intelligence organizations. In 2015, approximately 400GB of their confidential information was released on the Internet by hackers. This was a significant blow to the company, and it appears that the hackers were able to gain access due to employees using extremely weak passwords. The hack itself was motivated by anger over Hacking Team’s unscrupulous business practices. Specifically, they sold spyware to repressive regimes, who then used those programs to crack down on dissenters. Thus, once again, the goal for the breach was motivated by a sense of moral outrage and a desire to publicly expose perceived wrongdoing.
What do these previous leaks tell us about the Panama Papers and, in a larger sense, modern information security? Simply put, the Panama Papers – like the Manning leak, the Snowden leak, and the Hacking Team hack – underscore the importance of people. Often in discussions about information security, there is a distinct focus on processes and technologies, but most cybersecurity professionals agree that the human factor is the single greatest vulnerability in any security system.
Insiders, whether malicious actors or altruistic whistleblowers, are people. They are trusted, they have access, and they have become disenchanted with their employers, but they are still a part of the human element within their organization.
Hackers usually prefer to exploit people in order to gain access to their targets. Broadly speaking, it is always easier to use a spear-phishing email or guess a weak password to get into an organization. As Lillian Ablon of the RAND Corporation told The Cipher Brief, “since humans interact with computers—and since humans can be manipulated—they are often a company or organization’s weak link.”
But arguably the most important part of the human element for these leaks has to do with the rationale behind the act—often characterized by the leaker as an issue of right and wrong. Leaks like the Panama Papers are criminal acts, but they are justified as moral acts rather than being motivated by vindictiveness or material gain. The people involved are outraged over something, and they often want to bring it out into the harsh light of day in the hopes that doing so will cause a change for the better. Organizations need to be aware of employee buy-in to their goals, or else they too risk having their secrets posted on the internet.
Luke Penn-Hall is the Cyber and Technology Producer at The Cipher Brief.