Panama Papers

== Data security ==
Mossack Fonseca notified its clients on April 1, 2016, that it had sustained an email hack. Mossack Fonseca also told news sources that the company had been hacked and always operated within the law.<ref name="DiePresse.com 2016">{{cite web |title=Panama-Papers: Kanzlei Mossack Fonesca erstattet Anzeige |website=DiePresse.com |date=April 6, 2016 |url=http://diepresse.com/home/wirtschaft/international/4961279/PanamaPapers_Kanzlei-Mossack-Fonesca-erstattet-Anzeige |trans-title=Panama-papers: Law firm of Mossack Fonseca charges |language=de |access-date=April 8, 2016 |url-status=live |archive-url=https://web.archive.org/web/20160408000710/http://diepresse.com/home/wirtschaft/international/4961279/PanamaPapers_Kanzlei-Mossack-Fonesca-erstattet-Anzeige |archive-date=April 8, 2016 }}</ref>

Data security experts noted, however, that the company had not been encrypting its emails<ref name="forbes"/> and furthermore seemed to have been running a three-year-old version of [[Drupal]] with several known [[Vulnerability (computing)|vulnerabilities]].<ref name="forbes"/> According to James Sanders of ''[[TechRepublic]]'', Drupal ran on the [[Apache HTTP Server|Apache]] 2.2.15 version from March 6, 2010, and worse, the Oracle [[Fork (software development)|fork]] of Apache, which by default allows users to view [[Directory (computing)|directory]] structure.<ref name=TR>{{cite magazine |url=http://www.techrepublic.com/article/no-1-thing-it-departments-can-learn-from-the-panama-papers-hack/ |title=No. 1 thing IT departments can learn from the Panama Papers hack: Staggeringly out of date software supports the conclusion that documents from Mossack Fonseca were exfiltrated by a hacker. Learn what vulnerabilities could have been used. |author=James Sanders |date=April 13, 2016 |access-date=April 23, 2016 |magazine=TechRepublic |url-status=live |archive-url=https://web.archive.org/web/20160420201856/http://www.techrepublic.com/article/no-1-thing-it-departments-can-learn-from-the-panama-papers-hack/ |archive-date=April 20, 2016 }}</ref>

The [[network architecture]] was also inherently insecure; the email and web servers were not [[network segment|segmented]] from the client database in any way.<ref>{{cite news |date=April 21, 2016 |title=Cybersecurity Lessons Learned From 'Panama Papers' Breach |work=Forbes |url=https://www.forbes.com/sites/jasonbloomberg/2016/04/21/cybersecurity-lessons-learned-from-panama-papers-breach/#5af3b35d4f7a |access-date=May 8, 2016 |url-status=live |archive-url=https://web.archive.org/web/20160421230444/http://www.forbes.com/sites/jasonbloomberg/2016/04/21/cybersecurity-lessons-learned-from-panama-papers-breach/#5af3b35d4f7a |archive-date=April 21, 2016 }}</ref>

Some reports<ref>{{cite web |url=https://www.wordfence.com/blog/2016/04/mossack-fonseca-breach-vulnerable-slider-revolution/ |title=Did an Out of Date WordPress Plugin Expose Mossack Fonseca to Hacks? |author=Mark Maunder |publisher=Wordfence |url-status=live |archive-url=https://web.archive.org/web/20161220213007/https://www.wordfence.com/blog/2016/04/mossack-fonseca-breach-vulnerable-slider-revolution/ |archive-date=December 20, 2016 |date=April 7, 2016 }}</ref> also suggest that some parts of the site may have been running [[WordPress]] with an out-of-date version of Slider Revolution, a plugin whose previously-announced vulnerabilities<ref>{{cite web |url=https://blog.sucuri.net/2014/09/slider-revolution-plugin-critical-vulnerability-being-exploited.html |title=Slider Revolution Plugin Critical Vulnerability Being Exploited |work=Sucuri Blog |access-date=May 15, 2016 |url-status=live |archive-url=https://web.archive.org/web/20160412201011/https://blog.sucuri.net/2014/09/slider-revolution-plugin-critical-vulnerability-being-exploited.html |archive-date=April 12, 2016 |date=September 3, 2014 }}</ref> are well-documented.

A [[grey hat]] hacker named 1×0123 announced April 12 that Mossack Fonseca's [[content management system]] had not been secured from [[SQL injection]], a well-known database attack [[vector (malware)|vector]], and that he had been able to access the customer database because of this.<ref>{{cite news |url=https://www.hackread.com/sql-injection-bug-in-panama-papers-law-firm-mossack-fonseca/ |title=SQL injection bug found in Panama Papers Law Firm Mossack Fonseca |author=Ali Razaa |date=April 12, 2016 |access-date=May 8, 2016 |work=HackRead |url-status=live |archive-url=https://web.archive.org/web/20160604223158/https://www.hackread.com/sql-injection-bug-in-panama-papers-law-firm-mossack-fonseca/ |archive-date=June 4, 2016 }}</ref>

Computer security expert [[Chris Kubecka]] announced May 24, 2016, that the Mossack Fonseca client login portal was running four different government grade [[remote access trojan]]s (RATs). Kubecka confirmed there were still numerous critical vulnerabilities, too many open ports into their infrastructure and internet access to their archive server due to weak security.<ref>{{cite web|url=http://www.whatshappening.co.uk/warrington/events/industrial-control-cyber-security-nuclear/56ce7afe5c207|title=Industrial Control Cyber Security Nuclear|date=May 2016|access-date=November 3, 2017|url-status=live|archive-url=https://web.archive.org/web/20171107015544/http://www.whatshappening.co.uk/warrington/events/industrial-control-cyber-security-nuclear/56ce7afe5c207|archive-date=November 7, 2017}}</ref> Kubecka explained how each data security issue was discovered in detail in a book titled ''Down the Rabbit Hole: An OSINT Journey''.<ref>{{cite book |author=Kubecka, Chris|year=2017|title=Down the Rabbit Hole: An OSINT Journey|publisher= HypaSec|location=Amsterdam|isbn=978-0995687547|pages= 1–162}}</ref>
[[File:Mossack Foncesa's client portal and general data security weak.png|thumb|Shodan scan results of Mossack Fonseca's client login portal breached by RATs]]