As a Document Management Consultant, I found the hack of Mossack Fonseca very fascinating. Not because the wealthy were setting up tax shelters in foreign countries (duh), but how a firm who catered to heads of state and the super rich had such bad security and allowed over 10 million files to get stolen.
Broken down by file type, the leak comprises:
- 4.8 million emails,
- 3 million database files,
- 2.1 million PDFs,
- 1.1 million images,
- 320,166 text files
- 2,242 files in other formats.
All the files came organized in folders for the individual shell firms they related to. http://www.wired.co.uk/news/archive/2016-04/06/panama-papers-mossack-fonseca-website-security-problems
I use NetDocuments to store my emails and documents. When you setup NetDocuments, this is the 4th setting:
If anyone tries to download more then 100 documents, I (and all admins) will get an email telling us what is going on. Since I routinely install NetDocuments for 3 user law firms with minimal resources, what does a wealthy multinational firm use to secure their documents?
From the website, it looks like the firm built its own homegrown “secure cloud” and then decided to sell it to other firms. If I had a dime for every time an attorney pitched me his plan for their own document management system, I would be a rich man. Probably wealthy enough to need my own tax shelter.
This comes directly from the e-volusoft website:
“Our mission is to provide our clients with the best solutions to transform printed documents into digital files, in order to allow the effective management in an efficient way to handle corporate documents.
Our vision is to offer our clients a complete solution to manage your documents in a short and long term periods, providing security and an excellent technical support when you install the application.”
Part of me wonders if e-volusoft is a real or just some shell company. I haven’t been able to find an example of anyone actually using it. Regardless, the law firm that has suffered the largest breach in history advertises its own “secure cloud” document management software.
Wired Magazine does a great job going through bad security at the firm:
- Their Client Portal was last updated on August 2013
- There were at least 25 known unpatched security vulnerabilities
- The server was configured to allow anyone who knew or could guess their URL access to their documents
I do feel a little bad for the IT people at the firm. They were probably overworked, underpaid and were expected to be experts in Drupal, WordPress, SQL, and Exchange. How many law firms are experts in Bankruptcy, Family Law, Mergers, and DWI Defense? Had the firm moved their exchange servers to Microsoft 365 and their documents and client portal to NetDocuments, this breach probably would have never happened.
Side Note: OCR
“The biggest challenge for processing the data was the amount of text that couldn’t initially be recognized by machines. Optical character recognition (OCR) was used to transform the data into text that could be understood and searched by computers.”
This law firm that sells its own document management software and acts like they are experts in converting paper documents to digital had not done OCR on its own documents. That’s pathetic.