The leak at offshore law firm Mossack Fonseca is a stark reminder that hackers are no longer only after health insurance and credit card numbers;
The Panama Papers represent one of the biggest data leaks in history. But unlike the recent TalkTalk hack – which saw hundreds of thousands of customer’s personal data made public – this leak exposed the lengths to which wealthy individuals would go to hide their wealth and avoid paying taxes in the millions.
In April, an unprecedented amount of data, some 11.5 million files containing offshore account details of some of the world’s wealthiest individuals were obtained by a German newspaper, before it was shared with the International Consortium of Investigative Journalists and subsequently with the media.
Politicians, among others, were caught out as soon as the Panama Papers hit the press. Icelandic prime minister Sigmundur Davíð, for instance, was found to have owned an offshore investment company, which claimed millions of pounds on Iceland’s failed banks (his wife still owns the company). He soon resigned after a mass protest in the coastal capital of Reykjavik called for him to step down.
In the UK, the leaked papers revealed that prime minister David Cameron’s late father owned an offshore investment fund, of which Cameron became a beneficiary. This caused a great deal of negative publicity, putting pressure on Cameron to share and defend his tax returns.
Indeed, the Panama Papers raise several questions about the clandestine nature of the wealthy and the efficacy of tax havens. So far, the spotlight has shone on offshore accounts linked to politicians, state heads, royalty and celebrities. Few corporates have been caught out. But beneath the surface, one issue has caught the attention of many corporates: data breaches and its consequences.
The 11.5 million leaked files are a stark reminder of how damaging a data hack can be. And, in a technologically connected world, businesses are more vulnerable to a breach than ever before.
Rajiv Gupta, chief executive and founder of cloud access security broker Skyhigh Networks, says technology can empower whistleblowers and it will continue to play “a starring role” in making public any political and corporate scandals of the future.
“Only with online tools could a whistleblower hope to [access] 2.6 terabytes of accounting information and could journalists rely on powerful collaboration software to analyse the information.”
The Mossack Fonseca leak is a wake-up call to all industries, he says. “Hackers are not just after social security, health insurance, and credit card numbers.
“Determined attackers follow ideological, political and financial motives. Organisations need to assume all sensitive information, such as private transactions, personal communication and intellectual property, is a target.”
The digital whistleblower
In the digital age, most organisations will have well-developed contingency plans, which detail how to respond in an event of a data breach and how to reassure their customers, says John Hurrell, chief executive at Airmic, the UK’s risk management association. But the problem lies in managing reputation risk. Few companies have contingency plans that can effectively respond to this type of loss.
“When TalkTalk experienced a data breach, it was customer records that were compromised. As long as the victim, in this case TalkTalk, responds effectively, quickly and transparently, they will live to fight another day,” he says.
But a data breach incident becomes more complicated if the hack exposes corporate wrongdoing or if consequent investigations reveal a range of other breaches, says Hurrell. “Then it would become a significantly profound crisis for any organisation.”
Hurrell explains that board engagement is essential for managing data breaches and other cyber-related risk. But most boards need to improve their understanding. “The only way the board can [get a better understanding] is for them to get out and ask questions.”
But apart from managing their own cyber exposure, companies will also need to start factoring cybersecurity capabilities into their third-party vendor evaluation, Gupta says. He explains that through supply chains, companies can become exposed to risks that are affecting their business partners, “especially those with access to large amounts of confidential information”.
“Several top law firms recently suffered data breaches, a painful lesson that cybersecurity is a fundamental component to confidentiality.
“To an organisation a good chief information security officer is becoming just as valuable as a good attorney or a good doctor to an individual.”