7 things Mossack Fonseca could have done better to protect their clients “sensitive” data

Workshare would never take any sides or make any comment on the lives and times of Mossack Fonseca clients (and their financial affairs). But when you spend your days like we do obsessing about security and protecting customer’s data, we took a keen interest in what is now considered the biggest data breach of history.

It hasn’t taken long for news outlets to start cataloguing the many financial misdemeanours and various parties being protected by Mossack Fonseca. Here at Workshare, we focused on the security errors and measures that could have been taken to protect the data.

Matin Nayob, from our expert Data Security team here at Workshare, compiled a list of general guidelines – the things that the IT team at Mossack Fonseca, or at any law firm, could and should have done to protect their data:

  1. Always make sure that the system software and Operating Systems that you run are kept up to date. This way you can protect yourself against any vulnerabilities that may have been discovered and later fixed.
  2. Ensure that you use the latest security protocols to encrypt any data that you may send or store.
  3. Always make sure you keep any internet facing software (like Drupal, WordPress and Outlook) up to date. These are especially susceptible to attacks and can provide a way into your systems.
  4. Make sure that all and any communication sent from your company is encrypted and purged of any hidden metadata. A system such as Workshare can help you with this.
  5. Perform regular security audits and penetration testing. Ideally performed by an external company. This will have definitely picked up most (if not all) of the issues that were later exposed. This is something that we do regularly to keep Workshare’s cloud infrastructure protected.
  6. Follow the guidelines outlined in OWASP (https://www.owasp.org/index.php/Main_Page) to ensure that you protect yourself against the most common attack vectors.
  7. Encrypt any sensitive data that you have and set up limits as to who can access it – and let everyone know that’s your policy. This way even if a breach does occur, the data will not be usable/accessible. If using a cloud-based file sharing system check your administration controls and account settings to see if admins and users can manage these.

As the dust continues to settles (and the heads continue to roll) no doubt more information will come to light as to how the 2.6 terabytes of data was able to leave the organisation and make its way into the hands of a journalist. But on the plus side, companies can start to understand better how to protect their own and their clients’ data due to these simple errors. 

In the meantime, if you want to talk about how to implement some of the tips above contact us or give us a call on +44 20 7426 0000 to speak to one of our team.