Malicious Hackers are Not Law Firms’ Only Data Security Enemies

The Internet has been ablaze in the past week with articles and discussions about what appears to be the biggest data leak in history: 11.5 million documents (2.6 terabytes of information) that were leaked from the Panamanian law firm Mossack Fonseca—colloquially called the “Panama Papers.” This data leak is larger than WikiLeaks in 2010 and the Edward Snowden leak in 2013. Mossack Fonseca handles the offshore incorporation of its clients’ businesses for tax advantages and provides wealth management services. The documents purportedly reveal details about how the firm’s clients used offshore accounts to evade taxes.

A source sent the leaked law firm data to the German newspaper Süddeutsche Zeitung. The source’s only request was to remain anonymous, which is understandable given the scope and depth of the confidential information implicating many high-profile public officials and individuals.

Generally, law firms and data security professionals are more concerned about malicious hackers who might attack their networks from the outside and look to exploit the sensitive information they find. A recent Delta Risk whitepaper addressed many of the external threats to confidentiality that law firms encounter, in addition to the individual, attendant responsibilities lawyers face. These external threats are usually executed as phishing schemes, ransomware attacks, or distributed denial of service (DDoS) attacks.

While it is not clear who leaked the information from Mossack Fonseca, or how they got access to the documents, this latest incident illustrates that it may not always be an external hacker who poses the greatest threat to a law firm that is responsible for maintaining client trust. The source of the leaked documents could very well have been a disgruntled employee (past or present) with network access. Or, the leak may have been a result of an employee who sold his or her network access credentials to the whistleblower.

Although it may never be known how the documents were obtained, the public disclosure of this sensitive data is extremely damaging to the individuals whose personal information was disclosed and to the law firm responsible for maintaining those secrets.

Moreover, the exposed documents implicate world leaders, from Russia’s Vladimir Putin to the prime ministers of Pakistan, Iraq, and Iceland. (This revelation has already caused one prime minister to step down. It also appears to be a factor in the sudden resignation of Ukrainian Prime Minister Arseny Yatsenyuk.)

The individuals who retained Mossack Fonseca wanted to stay out of the public eye. After all, Mossack Fonseca is known as a giant of the offshore world with a reputation for extreme secrecy. Now, the disclosure of this information has catapulted their clients’ information into the public limelight. As a result, various governments have been steadily initiating investigations to uncover tax evasion and fraud matters relating to individuals named in the files.

The leak of information from this one law firm demonstrates how quickly and easily a firm’s reputation can come under fire. The legal industry is built on a foundation of trust. Confidentiality is why many clients come to lawyers. Law firms that suffer a breach—whether from a malicious hacker or from an inadvertent or intentional disclosure—will feel significant reputational effects, likely resulting in lost business.

Clients must be able to trust that their lawyers and their firms can keep their information confidential. That is why cybersecurity and data protection should be at the top of every law firm’s priority list.