I don’t know much about Panama. Up to now my knowledge has been limited to being aware that they have a canal, have given their name at a piece of millenary worn by many men at various summer functions and that their motto is “For the Benefit of the World”. This understanding has now been given one more fact, that they are the source of the biggest data leak to date, the headline grabbing “Panama Papers”
This developing story is based around a huge leak of documents from the highly secretive Panamanian law firm, Mossack Fonseca. These documents have exposed how many of the rich and powerful around the globe have used tax havens to hide their wealth, to launder money, to dodge sanctions and avoid tax. Presidents, Prime Ministers, international financiers, political donors and many, many more are being questioned on their connection to Mossack Fonseca and their management schemes.
The sheer quantity of documents is staggering and total an eye watering 11.5 million. From various reports I have read they break down as 4.8 million emails, 2.1 million PDFs, 1.1 million images and 320,000 text files. Totaling 2.6TB of data. One report states that this leak is 2,000 times the amount in the WikiLeaks State Department cables in 2010.
To put this in context for you I have done a few ‘back of a napkin calculations’, that will hopefully illustrate how different cyber breaches are compared to more traditional exposure of physical documents.
Let’s imagine that each document fits on a single sheet of A4 paper. We need 11.5 million sheets of A4 paper then. 500 sheets of 90gsm traditional office grade printer paper weighs in at around 2.7kg. That means 11.5 million sheets will weigh in at a hefty 62,100 kg, or 62.1 metric tonnes!
Even the most tenacious individual is going to have a hard time grabbing that without somebody noticing, as in order to get away with all that paper they would have to enlist the use of three 40 tonne articulated trucks; the big ones; the sort that you see trundling along the UK motorway with Eddie Stobart emblazoned on the side. Each of these trucks, with a 10 metre trailer has a payload of around 23 tonnes, plus they will need considerable manpower to get it all loaded.
I’m willing to be corrected on my calculations here, but what I’m trying to state is that if a small convoy of trucks rolled up at your HQ and they started loading paperwork of that quantity and then driving off, with no permits, no agreements, then you would be up in arms.
In the cyber world which we all now occupy, all of those documents, three truckloads, could be copied to a Samsung M3 Slimline 4 TB USB 3.0 Portable Hard Drive (£124.99 from Amazon) in about 2 hours; hidden easily in a coat pocket, a laptop bag and just taken though the front door without anybody even noticing. Or if it was just being drip fed over a traditional broadband line they could be transferred in under 2 days.
From what I have read these documents were leaked out over a number of months and they were then put into a software platform called Nuix, which if configured correctly can analyse them all in under 2 days. This then allows individuals, in this case over 400 journalists from around the world, to search, scour and research the full breadth and depth of this trove of data using an interface that is not dissimilar to a simple Google search.
Go back to the physical theft for a minute and just how long would it have taken a dedicated team to analyse three truckloads of physical documents – a lifetimes work I should think. There would be a very long wait for any meaningful analysis.
Alongside The Edward Snowdon affair, the data breach at TalkTalk, the Panama Papers is another watershed moment for cyber security. This case goes to show how vast amounts of data can be leaked, analysed and made public within very short amounts of time. Regardless of the motives behind this expose had Mossack Fonseca been as sophisticated with their cyber security as they (allegedly) have been with their wealth management schemes then their clients may still be safely anonymous.
I’m not suggesting that all firms are involved in business practices that are as questionable as that of Mossack Fonseca however all companies have data that they wish to keep out of the public domain for perfectly legitimate reasons. I hope they take notice of the Panama Papers and learn from it. There is no doubt that cyber security companies, consultancies, vendors and trainers will all be using this case as an example of what can happen when vast quantities of data are leaked and analysed.
Of all the countries in the world to teach us how devastating a single data breach can have on a company, its clients and its national reputation I didn’t think it would be Panama, but then their motto is “For the Benefit of the World”, and the cyber security industry thanks them for their unexpected cyber contribution.