Europe is currently caught up in a political furore surrounding the leak of the ‘Panama Papers’, which basically has leaked the names of those using the offshore tax haven. Among the names to surface have included the Icelandic prime minister, who has since resigned and the UK prime minister, who as usual has some protesters at his door. This leak is undoubtedly the tip of a very large iceberg of high profile people using places such as Panama to evade taxes.

What interests us about the Panama Papers breach, is the poor security and simple attack methods which led to it happening. A number of security researchers have since analysed the company Mossack Fonseca whose data has been breached and found their security measures to be severely lacking. Its client login portal hadn’t been updated since 2013 and is also vulnerable to the common DROWN attack due to its outdated SSL v2 protocol, running on Drupal. The portal is also vulnerable to at least 25 other vulnerabilities including SQL injection. It’s also possible to access hidden parts of the site by simply guessing URLs based on their URL structure, and its webmail system was last updated in 2009.

What’s astonishing is not only the poor information security which somehow allowed the breach to occur, but the sheer scale of what has been siphoned off. In the largest set of breached documents in history, 2.6 terabytes made up of 11.6 million documents have been published online, dating as far back as the 1970s. It’s as yet unclear how the breach occurred, but researchers have speculated that it could be an insider, but it just as likely to be an attacker who targeted them and got lucky. Currently the data is being organised and a full list of all the offshore entities and names of those associated with them is due to published in May.

In addition to being a breach of enormous proportions, and completely preventable, the Panama Papers has involved a journalistic project of epic proportions. Prior to the release of the papers, communications were taking place with agencies such as WikiLeaks, the BBC and the Guardian, helping journalists to process the news as quickly and efficiently as possible. To do so, the entire 2.6 terabytes was uploaded to the cloud and customised for use by the various news outlets, indexed and made searchable. So for example, UK outlets could search for key names such as David Cameron and easily access all the relevant files.

This has been a highly coordinated, controlled release of data which promises to have huge implications for the rich and powerful people involved and no doubt we can expect continued fallout from the Panama Papers breach for months to come.


Acunetix developers and tech agents regularly contribute to the blog. All the Acunetix developers come with years of experience in the web security sphere.