> breach.update —— target: Mossack Fonseca —— months_elapsed: 9 —— political_casualties: MOUNTING —— firm_status: TERMINAL_DECLINE<span class="cursor-blink">_</span>_
Six months ago, we published our initial deep-dive analysis of the Panama Papers breach — the largest data leak in the history of journalism, caused by the most preventable security failures we have ever examined. In that article, we documented how an outdated WordPress plugin and an unpatched Drupal installation enabled the exfiltration of 2.6 terabytes of confidential legal documents, exposing the offshore financial activities of over 214,000 entities and triggering the resignation of Iceland's Prime Minister within days of publication.
Nine months on, the political, legal, and regulatory aftershocks continue to intensify. Mossack Fonseca is in terminal decline. Criminal proceedings are advancing against the firm's founders. Additional heads of state have been implicated and removed from office. Regulatory reforms are reshaping the global financial system. And the law firm sector is undergoing a long-overdue reckoning with its cyber security obligations.
We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.
Free Scoping CallThe political consequences of the Panama Papers have continued to accumulate far beyond the initial wave of resignations and revelations.
| Country | Consequence |
|---|---|
| Iceland | Prime Minister Sigmundur Davíð Gunnlaugsson resigned in April 2016 after revelations about an offshore company he and his wife held. He was the first — but far from the last — political casualty. |
| Pakistan | Prime Minister Nawaz Sharif was investigated by the Supreme Court over discrepancies between his family's declared assets and their offshore holdings as revealed in the Panama Papers. In July 2017, the Supreme Court disqualified him from office — the most senior political figure to fall as a direct result of the leak. |
| United Kingdom | Prime Minister David Cameron faced sustained pressure after it emerged that his late father had set up an offshore investment fund through Mossack Fonseca. Cameron eventually admitted he had held units in the fund. The revelations contributed to the erosion of trust in the political establishment in the run-up to the Brexit referendum. |
| Russia | Associates of President Vladimir Putin were revealed to have managed approximately $2 billion through a network of offshore entities. The Kremlin dismissed the revelations as a Western provocation, but the documents provided unprecedented detail about the financial networks surrounding Putin's inner circle. |
| Panama | The government established an inquiry committee, but controversy erupted when Nobel Prize-winning economist Joseph Stiglitz and anti-corruption expert Mark Pieth resigned from the panel after the government refused to publish its findings. Mossack Fonseca's founders were subsequently arrested in February 2017. |
| Global | Investigations were launched in dozens of countries. Tax authorities used the data to pursue revenue recovery. Anti-corruption agencies opened cases. The cumulative political impact is still being assessed, but the Panama Papers have been credited with catalysing more governmental action on financial transparency than any single event in history. |
In February 2017, Panamanian authorities arrested Mossack Fonseca's co-founders, Jürgen Mossack and Ramón Fonseca, on money laundering charges. German prosecutors subsequently issued international arrest warrants for both men. The charges relate to the alleged facilitation of money laundering through the creation of shell companies designed to conceal the identity of beneficial owners and the origin of funds.
The firm itself continued to operate on a diminished basis through 2017, but the reputational damage was terminal. Clients departed. Regulators in multiple jurisdictions increased scrutiny. Staff were made redundant. By March 2018, Mossack Fonseca would announce its permanent closure, citing the economic and reputational damage inflicted by the Panama Papers and what it described as 'unusual actions by certain Panamanian authorities.'
For professional services firms, the trajectory of Mossack Fonseca offers a sobering lesson. This was not a small or marginal operation — it was the world's fourth-largest offshore law firm, with 600 staff across 42 countries and revenues exceeding $100 million. A single data breach, caused by a failure to apply freely available security patches, destroyed the business entirely.
Mossack Fonseca did not merely suffer a fine, a lawsuit, or a regulatory sanction. It ceased to exist. The world's fourth-largest offshore law firm was killed by an unpatched WordPress plugin. There is no more powerful argument for basic security hygiene than the death of a major professional services firm that failed to practice it.
The Panama Papers have catalysed regulatory reform on a scale that would have seemed impossible before April 2016.
Our initial risk reduction estimates for the Panama Papers breach were already the highest in our series. Nine months on, with additional information about the firm's security posture and the confirmation that the vulnerabilities were as basic as initially reported, we see no reason to revise these estimates downward. If anything, the additional evidence strengthens our initial assessment.
One of the most striking aspects of the Panama Papers story is the contrast between the security practices of Mossack Fonseca and those of the journalists who analysed the leaked data. The ICIJ maintained operational security over 2.6 terabytes of the most sensitive financial data in the world, shared across 370 journalists in 80 countries, for over a year — without a single leak. They used encrypted communications, secure collaboration platforms, and rigorous access controls. They understood the sensitivity of the material they held and invested accordingly in its protection.
Mossack Fonseca, by contrast — the firm that created and curated this data, the firm whose entire business depended on client confidentiality, the firm that marketed a 'secure client portal' — ran its infrastructure on software last updated in 2013 and stored its email credentials in a WordPress database. The journalists demonstrated a higher standard of information security than the law firm they were investigating. This inversion should shame every professional services firm that underinvests in security.
If there is one lesson that the Panama Papers breach teaches above all others, it is the paramount importance of patch management. Patch management is not glamorous. It does not involve sophisticated threat intelligence, advanced machine learning, or cutting-edge zero-trust architectures. It involves the simple, unglamorous, essential discipline of keeping software up to date.
The National Cyber Security Centre (NCSC) has repeatedly stated that patching known vulnerabilities is one of the single most effective things an organisation can do to protect itself. The Cyber Essentials scheme places patch management as one of its five core controls. Every major security framework — ISO 27001, NIST CSF, CIS Controls — emphasises the importance of timely patching. The security community has been saying this for decades.
And yet, in 2016, a major international law firm was running internet-facing software with vulnerabilities that had been publicly known and patched for over two years. The patches were free. The vulnerabilities were well-documented. Automated scanners could detect them in seconds. And the firm simply did not bother to apply them.
The Panama Papers breach did not require a sophisticated attacker. It did not require a nation-state budget. It did not require insider access or social engineering. It required only that someone — anyone — notice that a law firm handling the secrets of the world's most powerful people had not updated its website since 2013. That is the terrifying simplicity of this breach, and it is the reason why our risk reduction estimates for both penetration testing and Cyber Essentials Plus are the highest in our entire series.
The Panama Papers breach has had a significant impact on the professional indemnity and cyber insurance markets for law firms. Insurers have observed that a single unpatched vulnerability can destroy a professional services firm entirely — and they have adjusted their underwriting criteria accordingly.
Firms seeking cyber insurance or professional indemnity cover are increasingly required to demonstrate basic security controls — including patch management, access controls, and encryption — as a condition of coverage. Some insurers now require evidence of penetration testing or Cyber Essentials Plus certification. Premiums for firms that cannot demonstrate adequate controls have risen significantly, and some insurers have declined to cover firms whose security posture falls below a minimum threshold.
For law firms, this represents a double incentive for security investment. Not only does adequate security protect against the direct consequences of a breach — it also protects access to the insurance coverage that provides a safety net if a breach does occur. Firms that neglect security may find themselves uninsurable at the moment they need coverage most.
The Panama Papers breach highlights a risk that many organisations — particularly professional services firms — underestimate: the risk posed by their own website. Many firms treat their website as a marketing asset, managed by a web design agency, running on a commodity CMS, and largely disconnected from the firm's 'real' IT infrastructure. The Panama Papers demonstrated that this assumption can be fatally wrong.
At Mossack Fonseca, the public website was the entry point for the entire breach. The website was on the same network as the email server. The WordPress database contained email credentials. The client portal — nominally a separate system — was accessible from the same infrastructure. The attacker did not need to breach the firm's internal network through a VPN or exploit a complex authentication system. They simply hacked the website.
Every organisation must recognise that its website — including third-party plugins, themes, and integrations — is part of its attack surface. Websites must be kept updated, tested, and monitored with the same rigour as any other internet-facing system. If the website is connected, directly or indirectly, to internal systems, it must be treated as a potential entry point for attackers targeting those systems. And if it is managed by a third-party agency, the organisation must ensure that the agency's security practices meet the required standard — because when the breach occurs, it is the organisation, not the agency, that faces the consequences.
The Panama Papers breach should be treated as a watershed moment for the legal profession's approach to cyber security. The following recommendations apply to every law firm, regardless of size, jurisdiction, or practice area.
| Recommendation | Detail |
|---|---|
| Treat Client Data as Your Most Valuable Asset | Your firm's reputation — and its continued existence — depends on the confidentiality of client data. Invest in its protection accordingly. Mossack Fonseca demonstrated that a law firm can be destroyed by a data breach. No firm is immune. |
| Implement Automated Patch Management | Automate security updates wherever possible. Where automation is not possible, implement processes that ensure patches are applied within 14 days of release. Subscribe to security advisories for every software component in your estate. The Panama Papers were caused by patches not applied for years. |
| Separate Client Data from Public Infrastructure | Client portals, email servers, and document management systems must be on separate network segments from public-facing websites. Compromising a website must never provide access to client data. This is a fundamental architectural requirement. |
| Achieve Cyber Essentials Plus Certification | CE+ provides independent verification of the five baseline controls — including patch management — that would have prevented this breach. It is increasingly expected by clients, regulators, and insurers. For a law firm, it should be considered a minimum standard. |
| Commission Annual Penetration Testing | External penetration testing should be conducted at minimum annually, with additional testing after significant infrastructure changes. The Panama Papers vulnerabilities would have been identified by any competent engagement. Testing is an investment in survival. |
| Encrypt Everything | Implement TLS for all email. Use HTTPS for all web services. Encrypt client data at rest. Disable obsolete protocols. In 2017, unencrypted email between a law firm and its clients is indefensible. |
| Prepare an Incident Response Plan | Have a documented plan covering detection, containment, regulatory notification, client notification, and media management. Test it annually. Mossack Fonseca's response — attempting to have journalists detained — illustrates what happens when there is no plan. |
Nine months after the Panama Papers reshaped the global conversation about financial secrecy, corruption, and the responsibilities of professional services firms, the aftershocks continue. Mossack Fonseca is in its death spiral. Its founders face criminal charges. Heads of state have fallen. Regulatory frameworks are being rewritten. And the fundamental cause remains the same: a failure to apply freely available security patches.
The Panama Papers breach is the most powerful argument for basic security hygiene ever constructed. It demonstrates, with a clarity that no theoretical risk assessment could match, that the failure to maintain basic security controls can trigger consequences of genuinely global significance. An unpatched WordPress plugin toppled the Prime Minister of Iceland. An outdated Drupal installation contributed to the downfall of the Prime Minister of Pakistan. A law firm that could not be bothered to update its software no longer exists.
The message for every organisation — and for every professional services firm in particular — is as simple as it is urgent: patch, or perish.
This article concludes our two-part deep dive into the Panama Papers breach. Our next Breach Deep Dive will examine a different incident. To suggest breaches for future analysis, or to discuss any of the issues raised in this series, please contact us.
Our external penetration testing identifies the exact vulnerabilities that brought down Mossack Fonseca — outdated CMS installations, unpatched plugins, misconfigured servers, and exposed credentials. Our Cyber Essentials Plus certification verifies that your patch management meets the baseline standard. An unpatched plugin killed a global law firm. Don't let it kill yours.
We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.
Free Scoping Call