Digital Transformation
Showing results for 
Search instead for 
Did you mean: 

How enterprise security lapses led to the Panama Papers leak


Guest post by Ronda Swaney

The revelations contained in the Panama Papers shocked the world, but equally shocking—and more relevant to enterprise security—are the failures that allowed this entirely avoidable leak.


The security flaw led to the leak of 3 million database files, 4.8 million emails, and 1.1 million images, covering 40 years of sensitive information housed by law firm Mossack Fonseca. The leak, its size, and the resulting damage revealed a more pervasive problem that should frighten any enterprise charged with protecting sensitive, valuable, or vulnerable data: The execution of security inside many enterprises is not only haphazard but also low priority.

Hacking is a lucrative business: Cybercriminals profit financially from the sale of stolen data, and personally from the notoriety that comes from the theft. To get their hands on sensitive data requires only a moderate amount of diligence and cleverness when security isn't a prime concern for an enterprise.

Making it easy for thieves

Mossack Fonseca's haphazard approach to security was nothing short of negligent, according to a Wired report. Patching and updating software are two critical yet low-impact steps every business should take to protect applications, but Mossack Fonseca had not updated its Outlook Web Access login since 2009 or its client login portal since 2013. That client portal, which ran on Drupal, contained 25 vulnerabilities known to both the security and hacking communities. "If I were a client of theirs," Alan Woodward, computer security expert from Surrey University, told Wired, "I'd be very concerned that they were communicating using such outdated technology."

The firm's website and portal management were outsourced to a third party. If you're going to outsource, you need assurances that the vendor is competent, and their security practices are clear. The contract should outline remedies if they don't meet those standards—although, if you're in a position to seek remedies, the damage has likely been done.

4 security measures that can stop leaks

Information is an asset that needs to be protected and secured just as firmly as you protect your bank accounts, perimeter, and company name, which means making security part of the entire enterprise culture, even beyond IT. The following are four critical steps toward protecting your enterprise data.

  1. Control the information life span. Collect only information you need for a specific business purpose and keep it only as long as there is a legitimate business need. Once that time has passed, the information should be securely destroyed. Data isn't stagnant—it often moves from repository to repository inside a business and should be encrypted and protected during transmission and storage. With a data-centric security approach, data is protected across its life span, from the moment it is captured, throughout its travels, and as it is accessed.
  2. Control access to the data. Decide what roles truly need access to data. According to CIO, two of the top risks to enterprise security are disgruntled and uninformed and/or careless employees. To mitigate the risks, data access should be strictly monitored and controlled, and employees should be trained on security best practices.
  3. Enforce security at every access point. This includes on-premise security as well as mobile and remote access. Require strong passwords and protect them as though they are company assets. Regularly test for security flaws, set up firewalls between networks, and use intrusion detection and prevention tools. Security breaches at large enterprises through third-party vendors is a growing problem; get their security practices in writing and test their practices before committing to their services.
  4. Start security planning  at the development stage. When creating internal products, make sure your team masters secure coding and knows best practices. For any app or tool you create, know how it will be used and understand the standards. This white paper from the SANS Institute reviews the current state of application security and the gaps that exist between those who create applications and those who defend them.

For an in-depth discussion about the maturity of security inside the enterprise, read the "State of Security Operations: 2016 report" (reg. req'd).

0 Kudos
About the Author


Jan 30-31, 2018
Expert Days - 2018
Visit this forum and get the schedules for online HPE Expert Days where you can talk to HPE product experts, R&D and support team members and get answ...
Read more
See posts for dates
HPE Webinars - 2018
Find out about this year's live broadcasts and on-demand webinars.
Read more
View all