Jean-Yves Gilg

Editor, Solicitors Journal

Panama Papers: 'The law firm equivalent of Edward Snowden'

Panama Papers: 'The law firm equivalent of Edward Snowden'


Law firms urged to learn from Mossack Fonseca's cyber security practices

The leak of documents that reveal details of tax havens held by the global elite has been labelled the 'law firm equivalent of Edward Snowden', by a legal expert.

Over 11.5 million confidential files belonging to Panamanian law firm Mossack Fonseca are being trawled through by investigative journalists in an embarrassing mass leak for the firm and its clients.

So far the documents show how some of the world's richest people - including political leaders, criminals and celebrities - have hidden their money in secret offshore companies to allegedly launder money, dodge sanctions, and evade tax.

Any wrongdoing has been denied by the firm in question. In its response to the revelations, Mossack Fonseca pointed to adverse findings of less than 1 per cent of approximately 300,000 companies it had incorporated since its foundation in 1977.

Peter Wright, solicitor and managing director of Digital Law UK, has labelled the leak, 'the law firm equivalent of an Edward Snowden' and, as media reports have confirmed, the disclosure must have come about due to a whistleblower.

'The way that the information has then been leaked - in terms of the German newspaper that they gave it too and then the fact that it was passed to the International Consortium of Investigative Journalism (ICIJ) - means that it has been done in a very carefully staged managed manner,' he said.

'The size and nature of this makes me think we're not looking at an external hack. We're more than likely looking at someone internally who has decided to drawdown a rather large volume of documents. They've known exactly what to take out and what would cause the biggest amount of damage so it's been very specifically targeted.'

In its response to the revelations, Mossack Fonseca said: 'Over the last 18 months, we have reinforced our compliance department by hiring an additional 26 professionals to comply with new regulations as well as to conduct retroactive due diligence on all existing clients.'

Wright confirmed to SJ this was likely to be the act of a cybersecurity whistleblower and cited compliance issues prior to the attack, which required retroactive due diligence and the hiring of new staff.

'I can't help but think they've recruited someone who has taken a look at this and thought some of this is incredible when you look at some of the people involved. You can't help but think that was the reason why they blew the whistle,' he continued.

'I don't see how this operation could have been carried out by somebody outside of the organisation. If you were looking at someone who was very skilled from a tech perspective, they wouldn't have known how to get the toxic stuff.

'Whoever's been doing this - which is why I think it's one of the regulated people they've brought in - they'd have known exactly the most explosive revelations would be, which wouldn't be easy to find.'

Wright continued: 'The reason this has happened today is because you've got a law firm with a horrendous amount of information on its system. Clearly, it's too big to govern effectively.'

The cybersecurity expert urged law firms to learn from Mossack Fonseca's cyber security practices by carrying out 'very thorough due diligence' when hiring people and ensuring access to internal systems is limited.

'All too often people rely on statements on a CV or on a LinkedIn profile but it is important to do the background checks on that and get more than the bare minimum out of the former employer's HR department. Too few firms actually do that.'

On restricting access to information, Wright added: 'I think it is arguable that no-one individual should have been able to access all of that information. Very often you find that information is not properly ring-fenced so if you know where you're going, you can go onto a firm's server and go into a different department. That kind of free access across a network should not be permitted.'

On its own website Mossack Fonseca states that its offices are supported by 'secure, state of the art technology that is upgraded continually'. Wright, however, said: 'Today shows: "No, you're not".'

Brian Spector, CEO at MIRACL, said: 'As far as hackers are concerned, any legal firm represents a treasure trove of personal and financial data - but this latest attack is an absolute goldmine.

'Protecting your clients' data is a fundamental part of being a lawyer, so it's difficult to see how this firm can recover from a hack of this magnitude.'

Meanwhile, reports in the US suggest that almost 50 law firms have been the subject of an online security breach, with hackers seeking information on mergers and acquisitions.

New York security firm Flashpoint said that firms, including Hogan Lovells, Allen & Overy, and Freshfields, had been targeted by a Russian cybercriminal intent on stealing information for insider trading.