In addition to information and news about the GDPR, we would also like to provide you with technical information so that the topic of data protection is easier for you to understand. How the GDPR works in Article 32 requires that any data processing must be carried out in accordance with the state of the art. We would like to demonstrate why this is so important using the Panama Papers of 2016 as an example.
Previous story
The term Panama Papers refers to a large number of confidential documents published by investigative journalists around the world in 2016, some of which revealed illegal tax avoidance practices. In the German-speaking world, the Süddeutsche Zeitung (Germany) and the Falter (Austria) were the main driving forces behind the research. In total, about 11.5 million documents with a volume of 2.6 terabytes (2600 gigabytes) were published.
The data, including emails, documents, commercial registers, etc., were mostly stolen from the dubious legal services company Mossack Fonseca, which ceased operations as a result of the scandal.
The documents proved the establishment of over 200,000 shell companies in various tax havens around the world. These were used by various politicians and top managers for tax avoidance, money laundering and evasion of UN sanctions. For more information, see the Wikipedia article.
Data acquisition
In the course of the publications, it became known how the whistleblower responsible was able to obtain the explosive documents before making them available to the Süddeutsche Zeitung.
WordPress
The law firm Mossack Fonseca used the popular content management system (CMS) WordPress for its corporate website. WordPress is the undisputed market leader for homepages. The system offers a robust basic structure with little functionality. In order to customize the homepage more, there are a variety of free and paid extensions (plugins).
Among other things, the law firm’s website had installed the “Revolution Slider” plugin, which made it possible to create slideshows with little effort. However, they did not use the most current version at the time, but rather a version that was about two years old and had a serious and known security vulnerability. Through them, the whistleblower was able to upload and execute his own program code on the website, which ultimately gave him full access to the WordPress website.
This access alone would not have been very explosive, however, it was the law firm’s undoing that these two plug-ins were used for newsletter dispatch, which stored the access data to the e-mail accounts unencrypted. The attacker was able to read this information and thus had access to email accounts. This is where the firm’s lack of security architecture comes into play, as most likely the email account was not only used for sending and receiving newsletters but was also used by employees for client correspondence. If there had been a clear separation, the attacker would only have been able to send a fake newsletter or see who was receiving the messages. However, this allowed the attacker to obtain explosive documents and emails.
Drupal
In addition to the WordPress homepage, the law firm also operated a self-created system based on the CMS Drupal. Mossfon Client Information Portal said it enabled secure retrieval of company information from around the world. But this system was not regularly maintained either, the Drupal version used was three years old and had at least 23 known vulnerabilities. The system was installed on a six-year-old Apache web server. Thus, this system was also anything but secure and could be compromised by the attacker. Through this portal, the attacker was able to gain possession of documents from over 200,000 shell companies in particular.
Conclusion
The state of the art is not a fixed construct but is subject to constant further development. Even the most secure software needs regular updates to meet this requirement. The law firm Mossack Fonseca did not perform regular maintenance on its systems and disregarded basic architectural principles. This made it easy for the attacker(s) to obtain the desired documents. While this attack was a step toward greater tax fairness, such failures can affect legitimate companies as well as individuals. Therefore, it is essential to maintain your IT system on a regular basis. Otherwise, even the best security solutions are of no use. It does not matter whether OpenSource or commercial software is used, in both cases the running system must be checked regularly.
For more information on the case, we recommend reading the articles by the security company Wordfence:
Mossack Fonseca Breach – WordPress Revolution Slider Plugin Possible Cause
Panama Papers: Email Hackable via WordPress, Docs Hackable via Drupal