Anatomy of a Breach

Anatomy of a Breach: The Panama Papers — 11.5 Million Documents and the World's Biggest Leak

> series: anatomy_of_a_breach —— part: 087 —— target: mossack_fonseca —— documents: 11,500,000 —— size: 2.6TB<span class="cursor-blink">_</span>_

Hedgehog Security 31 March 2016 13 min read
panama-papers mossack-fonseca data-leak law-firm offshore wordpress drupal series
Breach #087

11.5 million documents. 2.6 terabytes. The world's offshore secrets, leaked through unpatched WordPress.

On 3 April 2016, the International Consortium of Investigative Journalists (ICIJ) and over 100 media organisations worldwide simultaneously published stories based on the Panama Papers — 11.5 million documents (2.6 terabytes) leaked from Mossack Fonseca, a Panamanian law firm specialising in offshore company formation. The documents exposed the offshore financial structures of 12 current and former world leaders, 128 politicians and public officials, and thousands of wealthy individuals — revealing how offshore entities were used for tax avoidance, evasion, and money laundering.

The political consequences were immediate: Iceland's Prime Minister resigned, investigations were launched in dozens of countries, and the global offshore finance industry faced unprecedented scrutiny. But from a cybersecurity perspective, the more revealing story was how the leak occurred. Security researchers who analysed Mossack Fonseca's infrastructure found a catalogue of basic security failures: an outdated WordPress installation (version 4.1, with at least 25 known vulnerabilities), an unpatched Drupal portal for client document access, an email server running on the same network without encryption, and no evidence of security monitoring or testing.

The Security Failures
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

A law firm guarding global secrets with decade-old security.

Unpatched WordPress and Drupal
Mossack Fonseca's client-facing website ran WordPress 4.1 with over 25 known vulnerabilities. Its client document portal ran an outdated Drupal installation with the <a href="/blog/anatomy-of-a-breach-shellshock">Drupalgeddon</a> vulnerability. Our <a href="/vulnerability-scanning">vulnerability scanning</a> identifies outdated CMS installations, and <a href="/cyber-essentials">Cyber Essentials Danzell</a> mandates 14-day patching.
Email Server on the Same Network
The email server — containing decades of attorney-client communications — sat on the same network as the vulnerable web servers, with no segmentation. A compromise of the web server provided a direct path to the email archive. Our <a href="/penetration-testing/infrastructure">infrastructure testing</a> validates network segmentation.
Law Firms Hold the Most Sensitive Data
Law firms are custodians of their clients' most confidential information — financial structures, legal strategies, personal secrets. The Panama Papers proved that a law firm breach can have consequences at the level of heads of state. Our <a href="/blog/sector-under-the-microscope-legal">legal sector analysis</a> examines the specific threat landscape for law firms.
No Evidence of Security Testing
There was no indication that Mossack Fonseca had ever conducted a <a href="/penetration-testing/web-application">web application penetration test</a> or <a href="/vulnerability-scanning">vulnerability scan</a>. A single assessment would have identified the outdated WordPress, the unpatched Drupal, the absent segmentation, and the exposed email server.
Lessons for Professional Services

If you hold clients' secrets, your security is their security.

The Panama Papers had catastrophic consequences for Mossack Fonseca's clients — not because of anything the clients did wrong, but because their law firm failed to implement basic security controls. For UK law firms, professional services firms, and any organisation that holds clients' confidential data, the lesson is unambiguous: your clients' security depends on your security. If your firm is breached, your clients are exposed.

Our web application testing and infrastructure testing identify the vulnerabilities that Mossack Fonseca's systems contained. Cyber Essentials certification provides the baseline and demonstrates security investment to clients and regulators. SOC in a Box for Legal Services provides continuous monitoring. And UK Cyber Defence provides incident response when confidential data is at risk.

Legal Sector Security

The Panama Papers exposed world leaders through an unpatched WordPress site. What does your law firm's security look like?

Our <a href="/penetration-testing/web-application">web application testing</a> finds the unpatched CMS. <a href="/blog/sector-under-the-microscope-legal">Our legal sector analysis</a> examines the threat landscape. <a href="https://www.socinabox.co.uk/sectors/solicitors">SOC in a Box for Legal</a> monitors 24/7.

Commission a Legal Sector Assessment Next: Philippines COMELEC
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 30 November 2021

Anatomy of a Breach: GoDaddy — 1.2 Million WordPress Customer Credentials Exposed for Months

Breach #155. In November 2021, GoDaddy — the world's largest domain registrar and web hosting company — disclosed that an unauthorised party had accessed its Managed WordPress hosting environment using a compromised password. The breach, which had been active since at least 6 September 2021, affected approximately 1.2 million active and inactive Managed WordPress customers. Exposed data included email addresses, customer numbers, WordPress Admin passwords (stored in plaintext), sFTP and database credentials, and SSL private keys. The exposure of admin passwords and SSL certificates for 1.2 million WordPress sites created a massive attack surface for website defacement, data theft, and malware injection.

data-breach godaddy
13 min read
Anatomy of a Breach 31 March 2026

Anatomy of a Breach: European Commission and Stryker — EU Government Cloud Attacked and Iran-Linked Group Hits Medical Technology

Breach #207. March 2026 brought attacks against both government and healthcare infrastructure. On 24 March, the European Commission disclosed that a cyber attack had struck the cloud infrastructure hosting the Europa web platform — with data taken from affected websites. The full scope remained under investigation. Separately, medical technology company Stryker experienced a significant cyber attack linked to an Iran-aligned hacktivist group. The attacks demonstrated that government cloud platforms and medical device manufacturers — both critical to the functioning of society — remain persistent targets for nation-state and hacktivist groups.

european-commission stryker
13 min read
Anatomy of a Breach 28 February 2026

Anatomy of a Breach: BridgePay and University of Mississippi Medical Center — Payment Systems and Patient Care Both Disrupted by Ransomware

Breach #206. February 2026 saw ransomware disrupt two critical services. BridgePay — a payments platform serving city governments and municipalities — was hit by ransomware that disrupted payment processing for local government customers across the US, with systems not fully restored until 28 February. The University of Mississippi Medical Center was forced to close clinics after ransomware disabled IT systems and electronic health records, requiring clinicians to revert to manual downtime procedures for patient care. The clinics reopened on 2 March. Both incidents demonstrated that ransomware continues to target the systems that people depend on most — government payments and healthcare.

bridgepay ransomware
13 min read
All Posts Get in Touch