> breach.analysis —— target: Mossack Fonseca —— date: 2016-04-03 —— documents: 11,500,000 —— data: 2.6TB —— governments_toppled: YES<span class="cursor-blink">_</span>_
On the 3rd of April 2016, over 100 media organisations in 80 countries simultaneously published stories based on the largest data leak in the history of journalism. The source was 11.5 million confidential documents — 2.6 terabytes of data — stolen from a Panamanian law firm called Mossack Fonseca. The documents exposed the offshore financial activities of more than 214,000 entities, implicating 12 current or former heads of state, 60 people connected to current or former leaders, and a constellation of celebrities, billionaires, and criminals.
Within days, Iceland's Prime Minister had resigned. Within months, Pakistan's Prime Minister would be forced from office. The British Prime Minister faced damaging revelations about his family's finances. Associates of Vladimir Putin were exposed managing $2 billion through offshore structures. The ripples extended to every continent and dozens of jurisdictions, triggering investigations, resignations, and criminal proceedings that continue to this day.
And the cause of it all? An outdated WordPress plugin. An unpatched Drupal installation. An email server running Microsoft Outlook Web Access from 2009. A law firm that claimed to provide 'secure' client services but could not be bothered to apply security updates that had been freely available for years.
Three months on from the first publications, we at Hedgehog Security examine this breach as the most consequential case study in patch management failure in the history of cyber security — and as a stark warning to every professional services firm that holds confidential client data.
We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.
Free Scoping Call| Date | Event |
|---|---|
| 2014 | An anonymous individual begins delivering encrypted data from Mossack Fonseca to Bastian Obermayer, a reporter at the German newspaper Süddeutsche Zeitung. The source's initial message: 'I want to make these crimes public.' When asked how much data was involved, the source replied: 'More than anything you have ever seen.' |
| February 2015 | Süddeutsche Zeitung contacts the International Consortium of Investigative Journalists (ICIJ) to obtain assistance in analysing the vast dataset. A team of approximately 370 journalists from 107 media organisations across 80 countries is assembled. A communal database is created and the year-long analysis begins. |
| Early March 2016 | ICIJ journalists begin contacting Mossack Fonseca and its intermediaries for comment. The firm discovers it has been breached and shifts into crisis mode. Its lawyer asks Panama's attorney general to 'urgently interrogate' journalists at their hotel and prevent them from leaving Panama — unsuccessfully. |
| 3rd April 2016 | Simultaneous global publication. Hundreds of stories appear in newspapers, websites, and broadcasts worldwide. 150 of the actual documents are published alongside the journalism. Mossack Fonseca tells clients the data was obtained through a hack of its email server. |
| 4th April 2016 | Mossack Fonseca releases a statement maintaining that its activities are legal and that it has operated 'without reproach' for 40 years. Co-founder Ramón Fonseca tells CNN the reports are 'false' and 'full of inaccuracies.' |
| 5th April 2016 | Iceland's Prime Minister Sigmundur Davíð Gunnlaugsson faces a no-confidence vote after revelations that he and his wife held an offshore company with claims on failed Icelandic banks. He resigns — the first political casualty of the Panama Papers. |
| May 2016 | The ICIJ releases a searchable database of 214,000 offshore entities to the public. An anonymous individual calling themselves 'John Doe' publishes an 1,800-word statement explaining the motivation: 'massive, pervasive corruption' and the failure of governments to address tax havens. |
| March 2018 | Mossack Fonseca announces it will cease operations, citing the 'economic and reputational damage' inflicted by the Panama Papers and 'unusual actions by certain Panamanian authorities.' The world's fourth-largest offshore law firm is dead. |
The Panama Papers comprise 11.5 million documents totalling 2.6 terabytes of data — over 4.8 million emails, 3 million database files, 2.1 million PDFs, and hundreds of thousands of images and other files. This is a thousandfold larger than the WikiLeaks Cablegate leak and, at the time of publication, the largest data leak in the history of journalism. The documents span from the 1970s to December 2015 — over four decades of attorney-client privileged information.
The technical security failures at Mossack Fonseca were described by one expert as 'astonishing.' The firm — which held some of the most sensitive financial and legal information in the world, belonging to some of the most powerful people on earth — maintained an IT infrastructure that a competent penetration tester would have compromised in minutes.
| Vulnerability | Detail | Severity |
|---|---|---|
| Outdated WordPress with Vulnerable Plugin | The firm's public website ran on WordPress, more than three months out of date. Critically, it used an outdated version of the Revolution Slider plugin — a plugin with a well-known remote code execution vulnerability disclosed in October 2014. This vulnerability allowed a remote attacker to gain administrative access to the web server. | Critical. The Revolution Slider vulnerability was publicly known for over a year before the breach. Exploitation was trivial and well-documented. This is believed to be the primary entry point. |
| Unpatched Drupal Client Portal | The firm's 'secure' client portal — used to share confidential documents with clients — ran Drupal version 7.23, which had not been updated since 2013. This version contained at least 25 known security vulnerabilities, including 'Drupalgeddon' (SA-CORE-2014-005) — a critical SQL injection vulnerability allowing remote code execution. | Critical. Drupalgeddon was one of the most severe web application vulnerabilities of 2014. Any site running Drupal 7.31 or below was vulnerable. The client portal had not been patched for over two years. |
| Email Server on Same Network as Web Server | Mossack Fonseca's email server was hosted on the same IP address as its WordPress website. WordPress plugins contained credentials for the email server. Compromising the website provided direct access to the firm's entire email archive. | Critical. This is a fundamental violation of network segmentation principles. The web server — internet-facing and vulnerable — should never have been on the same network as the email server containing decades of confidential client communications. |
| Unencrypted Email (No TLS) | The firm's email communications were not encrypted with Transport Layer Security (TLS). Emails between the firm and its clients — containing the most sensitive financial and legal information — were transmitted in plaintext across the internet. | High. TLS for email is considered a basic security requirement. Its absence meant that anyone intercepting network traffic could read the firm's email communications. |
| Outlook Web Access from 2009 | The firm's web-based email login was running Microsoft Outlook Web Access from 2009 — seven years out of date at the time of the breach, with multiple known vulnerabilities. | High. Running a seven-year-old version of any internet-facing software is indefensible. The accumulated vulnerabilities over that period represent an enormous attack surface. |
| Vulnerable to DROWN Attack | The client portal was vulnerable to the DROWN attack — a vulnerability that allows attackers to break TLS encryption by exploiting servers that support the obsolete and insecure SSLv2 protocol. | High. DROWN was disclosed in March 2016, weeks before the publication. The vulnerability existed because the portal supported SSLv2, which should have been disabled years earlier. |
Professor Alan Woodward of Surrey University summarised the situation succinctly: Mossack Fonseca appeared to have been 'caught in a time warp.' The firm's IT infrastructure was a museum of unpatched, unsupported, and misconfigured systems — any one of which could have provided an attacker with access to the entire trove of confidential data. Together, they represented what one industry source described as a firm 'riddled with unpatched vulnerabilities.'
The Panama Papers breach exposes a systemic vulnerability in the professional services sector — and in law firms in particular. Law firms hold some of the most sensitive, consequential, and valuable information in existence: merger and acquisition plans, litigation strategy, intellectual property, tax structures, trust arrangements, and — as Mossack Fonseca demonstrated — the financial secrets of the world's most powerful individuals.
Yet law firms have historically underinvested in cyber security relative to other sectors handling comparably sensitive data. Many firms operate as partnerships with decentralised governance, making it difficult to impose and enforce security standards. IT departments are often small and under-resourced. Legacy systems persist because 'they work' — until they don't. And the professional culture of many firms prioritises client service and convenience over security controls that might add friction to daily workflows.
Mossack Fonseca embodied all of these characteristics. A firm that managed the financial secrets of presidents and billionaires could not manage to update a WordPress plugin. A firm that marketed a 'secure client portal' ran that portal on software with 25 known vulnerabilities. A firm that promised discretion stored its email archive on the same server as its public website. The gap between the firm's marketing and its reality was not merely embarrassing — it was catastrophic.
The lesson for every law firm, accountancy practice, management consultancy, and financial services firm is stark: if you hold sensitive client data, you are a target. Your clients' secrets are only as secure as your least-patched system. And the consequences of a breach extend far beyond your firm — they reach every client whose confidence you hold.
Of all the breaches we have analysed in this series, the Panama Papers represents the case where penetration testing would have been most immediately and obviously effective. The vulnerabilities that enabled the breach were not subtle, novel, or difficult to detect — they were well-known, publicly documented, and trivially exploitable.
We estimate that a penetration testing programme — even a single, basic external assessment — would have reduced the likelihood of a breach of this nature by approximately 80–90%. This is our highest estimate for any breach in this series, reflecting the fact that every vulnerability exploited was well-known, publicly documented, and detectable by automated scanning tools. A firm that had conducted even one external vulnerability scan in the previous two years would have identified and — if it acted on the findings — remediated the critical weaknesses.
The Panama Papers breach is perhaps the most compelling advertisement for Cyber Essentials Plus certification that we could construct. Every one of the five CE+ controls directly addresses one or more of the vulnerabilities that enabled this breach.
| CE+ Control | Direct Relevance |
|---|---|
| Patch Management | This is the control that would have prevented the breach entirely. CE+ requires that software is kept up to date and that critical patches are applied within 14 days. The WordPress plugin, the Drupal installation, and the Outlook Web Access were all years out of date. CE+ compliance would have required their update, and the independent CE+ assessment would have verified that updates had been applied. |
| Secure Configuration | CE+ requires that systems are configured securely with unnecessary services disabled. The enabled SSLv2 protocol, the accessible Drupal backend URLs, and the co-location of email and web servers all represent secure configuration failures that a CE+ assessment would have identified. |
| Firewalls & Internet Gateways | CE+ requires properly configured firewalls. The absence of network segmentation between the web server and email server is a firewall configuration failure. Proper firewalling would have prevented the web server compromise from providing access to the email archive. |
| User Access Control | The storage of email credentials within the WordPress database represents an access control failure. CE+ requires that administrative credentials are properly managed and that access to sensitive systems is appropriately controlled. |
| Malware Protection | Whilst the attack did not involve traditional malware, the CE+ requirement for endpoint protection and monitoring would have enhanced the firm's ability to detect unauthorised access and data exfiltration from its servers. |
We estimate that CE+ compliance would have reduced the likelihood of a breach of this nature by approximately 85–95%. This is the highest CE+ estimate in our entire series. The reason is simple: the Panama Papers breach was, at its core, a patch management failure — and patch management is one of the five explicitly assessed CE+ controls. A CE+ assessment would have identified the outdated software, the missing patches, and the insecure configurations with near-certainty, and certification would have been withheld until they were remediated.
The combined effect of penetration testing and CE+ certification would have reduced the likelihood by approximately 90–95% — the highest combined estimate in our series. The residual 5–10% reflects the possibility that the breach was facilitated by an insider rather than a purely external attack, and the inherent difficulty of securing legacy systems with deep technical debt. But the overwhelming probability is that this breach would simply not have occurred had basic security hygiene been maintained.
| Priority | Recommendation |
|---|---|
| Critical | Patch everything, immediately, always. Apply security updates within 14 days of release. Automate where possible. Never allow internet-facing software to fall behind on security patches. The Panama Papers breach was caused by patches that were freely available but not applied — for years. |
| Critical | Segment your network. Email servers, client portals, and public websites must be on separate network segments. Compromising one system must not provide access to others. The co-location of Mossack Fonseca's email and web servers was a catastrophic architectural failure. |
| Critical | Encrypt all communications. Implement TLS for all email. Use HTTPS for all web services. Disable obsolete protocols (SSLv2, SSLv3, TLS 1.0). Encrypted communications are a baseline requirement, not a premium feature. |
| High | Conduct regular penetration testing. For professional services firms holding confidential client data, external penetration testing should be conducted at minimum annually. The Panama Papers vulnerabilities would have been identified by any competent assessment. |
| High | Achieve Cyber Essentials Plus certification. The five CE+ controls — particularly patch management and secure configuration — directly address the failures that caused this breach. CE+ certification provides independent verification that basic security hygiene is maintained. |
| High | Never store credentials in application code or databases. The WordPress database contained email server credentials. Use secrets management solutions. Separate authentication systems from application systems. |
| High | Implement a vulnerability management programme. Subscribe to security advisories for every software component in your estate. Track vulnerabilities. Prioritise remediation. A firm using WordPress, Drupal, and Outlook Web Access should have been aware of every vulnerability disclosed in those products. |
| Medium | Consider your firm's existential risk. For Mossack Fonseca, a data breach did not merely cost money — it destroyed the firm entirely. Professional services firms must understand that their existence depends on client trust, and that trust depends on security. |
The Panama Papers breach is, in our assessment, the most preventable catastrophe in the history of cyber security. Not because the consequences were the most severe — though toppling governments and destroying a major law firm places it in the first rank of severity — but because the cause was so breathtakingly basic. This was not a sophisticated, state-sponsored operation exploiting zero-day vulnerabilities. It was not a determined insider circumventing layered defences. It was not a novel attack technique that the security community had not yet learned to defend against.
It was a failure to apply software updates. Updates that were freely available. Updates that addressed publicly known, well-documented, trivially exploitable vulnerabilities. Updates that the entire security community had been urging organisations to apply for years. The Revolution Slider vulnerability had been disclosed in October 2014. Drupalgeddon had been disclosed in October 2014. Mossack Fonseca's Outlook Web Access had been obsolete since 2009. Every one of these issues would have been identified by an automated vulnerability scan in minutes. Every one would have been flagged by a Cyber Essentials Plus assessment. Every one could have been remediated at negligible cost.
Instead, the firm that held the financial secrets of presidents and billionaires could not be troubled to update a WordPress plugin. The consequences — political upheaval across multiple continents, the destruction of the firm itself, criminal proceedings against its founders, and the reshaping of global tax policy — stand as the most powerful argument for basic security hygiene ever constructed.
Patch your systems. Test your defences. Verify your security. The cost of doing so is negligible. The cost of not doing so can be measured in toppled governments.
This article is the first in a two-part series examining the Panama Papers breach. An update examining subsequent developments — including the firm's closure, criminal proceedings, and the long-term regulatory impact — will be published in January 2017.
Our penetration testing identifies the same vulnerabilities that brought down Mossack Fonseca — outdated CMS installations, unpatched plugins, misconfigured servers, and architectural weaknesses. Our Cyber Essentials Plus certification verifies that your patch management, secure configuration, and access controls meet the baseline standard. Don't let an unpatched plugin destroy your firm.
We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.
Free Scoping Call