Over the first weekend of April 2016 news began to emerge of another data leak. However this one seemed different, the media were already reporting it as the biggest data leak in history and there appeared to be implications for high profile international figures.
Who are Mossack Fonseca?
The guardian reports Mossack Fonseca as being the world’s fourth largest offshore law firm and it’s not unusual for sensitive legal to be the target of data leaks from inside the organisation as well as being vulnerable to external cyber attacks and other threats.
What has attracted media interest here is the firm’s core business which involves setting up corporations in offshore tax havens, a practice which raises the suspicions of tax authorities.
How are leaks measured?
The largest data leak in history is an impressive title, but it’s interesting to see how this is measured.
In this case there appears to be 2.6tb of data disclosed to the German newspaper Süddeutsche Zeitung.
This raises interesting questions about the method of the leak and how law firms can protect against them.
Protecting Legal Data
While there may be ethical questions surrounding this particular firm, law firms in general handle our legitimate sensitive business and therefore should make every effort to keep affairs private and secure.
It current appears unclear as to how this amount of data left the organisation however it would seem unlikely to have been via email, as transferring 2.6TB of data would be a considerable undertaking, over a period of time – risking discovery.
There are several controls within ISO 27001, the international standard for Information Security, that can help protect against this sort of threat.
For example, a robust patching policy for the mail server may have fixed a vulnerability in the mail software and prevented the access.
Alternatively, reviewing firewall rules, enforcing a 2-factor authentication and setting up a secure VPN connection may also have gone some way to mitigating the risks of an unauthorised access.
The Human Element
While technical vulnerabilities are a real threat, the human element should not be underestimated.
Simply emailing out documents to a 3rd party is a real possibility, although to email 2.6TB would take some time. Technical controls can be applied to most mail servers to detect and prevent this kind of leak, but a robust information classification system should also be considered. Having an auditable trail of activity within the firm’s document or case management system – and further more, to actually review that data on a regular basis – can act as both a deterrent and a detection tool.
Considering the size of the data leak, it would be sensible to also consider the use of physical media as a means of removing data from the firm.
Firstly consider if there is a valid need for USB memory to be in use. Technical restrictions can be applied through a group security policy, and if need be, selected users can be permitted to use such devices.
If devices do need to be used, encryption would be considered best practice.
Summary
Due to the confidential nature of their work, law firms are likely to be the target of many cyber and physical attacks on their information assets, and in this age of information governance, a breach however small can lead to irreparable reputational damage.
Designing an information security framework based on ISO 27001 is the first step in showing a commitment to protecting the confidential data that clients entrust to your law firm.
Assent Risk Management can help you implement a management system to ISO 27001 and achieve recognised UKAS accredited certification.
