The Panama Papers have been headline news for some time now. The recent data leak from Mossack Fonseca totalled 11.5 million documents and has rocked governments worldwide including setting the events in motion for the resignation of the Prime minister of Iceland.
While the overwhelming focus of the media and public attention has been on the possible tax avoidance schemes exposed, there is also some conversation about the security and data protection precautions taken by Mossack Fonseca, or to be more precise, the lack of them.
Sometimes people forget to update their software or they think they are happy with the current version and don’t want to add new features, or that the new version may have bugs that need to be patched. Often they don’t consider the security aspect of the updates. Panama Papers reveal just how devastating a security breach can be.
It seems there were a number of security issues with Mossack Fonseca’s technology that may have contributed to their being hacked, including using a version of WordPress that was 3 months out of date. As reported recently in an article for Wired Magazine,
Mossack Fonseca’s webmail system, which runs on Microsoft’s Outlook Web Access, was last updated in 2009, while its main site runs a version of WordPress that is three months out of date. A further vulnerability makes it possible to easily access files uploaded to the backend of Mossack Fonseca’s site simply by guessing the URL.
After the Panama Papers were released, WordFence compiled a thorough analysis of the Mossack Fonseca Website, here is a useful brief analysis of their findings from Cavendo,
- The Mossack Fonseca WordPress site was built using the Slider Revolution plugin (you know those sliders that everyone wants on their website).
- The plugin wasn’t updated since 2013.
- The plugin had code that wasn’t secure and allows someone with very technical skills to “exploit” the vulnerability.
- Within a couple of minutes, someone could gain “superuser” access to the web server their website is hosted on. If this server is on a network with other computers in their office all of those computers could be accessed through this hack.
Your website is constantly under attack, a large proportion of website traffic is caused by ‘bots’ looking to find a weakness in your security. These automated hacking bots can have devastating consequences for your website, stealing your sensitive data or planting viruses
The scale of the data breach at Mossack Fonseca is truly staggering and should lead us all to consider our security,
The leak includes emails, contracts, scanned documents and transcripts. Broken down by file type, the leak comprises 4.8 million emails, three million database files, 2.1 million PDFs, 1.1 million images, 320,166 text files and 2,242 files in other formats. All the files came organised in folders for the individual shell firms they related to. A full list of companies and people linked to the offshore entities will be published in May 2016.
Here at Seal Island Media our software is updated constantly. A firewall, regular scans for malware and other enhanced security features, reduce the likelihood of your site being hacked. But if it is hacked we will clean it up and restore the site to the last backup.
Avoid the fate of Mossack Fonseca
While it is not certain yet which security lapse allowed Mossack Fonseca to be hacked, the importance of security and updating regularly should be noted.
If you want to reduce your chances of your WordPress site being hacked:
- Use secure passwords
- Update your site regularly
- Install a WordPress firewall
- Only use plugins and themes from trusted sources
- Backup your site regularly in case you are hacked
We hope this blog has been useful. If you would like to talk to us about security for your website you can contact us here or call us on 0800 612 1098