'Panama papers' came from email server hack at Mossack Fonseca

Money-shuttling firm lost 2.6 TB of data and didn't even notice

The staggering, Wikileaks-beating “Panama Papers” data exfiltration has been attributed to the breach of an email server last year.

The leak of documents from Panama-based, internationally-franchised firm Mossack Fonseca appears to confirm what has long been suspected but rarely proven: well-heeled politicians, businesses, investors, and criminals use haven-registered businesses to hide their wealth from the public and from taxmen.

Bloomberg says co-founder Ramon Fonseca told Panama's Channel 2 the leaked documents are authentic and were “obtained illegally by hackers”.

According to The Spanish, the whistleblower (here in Spanish) accessed the vast trove of documents by breaching Mossack Fonseca's email server, with the company sending a message to clients saying it's investigating how the breach happened, and explaining that it's taking “all necessary steps to prevent it happening again”.

The company added that it's engaged security consultants to close the horse-long-gone stable door.

Described as the biggest document leak ever, the International Consortium of Investigative Journalists (ICIJ), which is coordinating the drip-feed release of information from the leak, says there's 11.5 million documents and 2.6 TB of data.

The documents landed first at German outlet Sueddeutsche Zeitung last year, which worked with the ICIJ to coordinate their worldwide release.

The leak has exposed the offshore activities of hundreds of politicians and public figures around the world, naming Iceland's prime minister David Gunnlaugsson, the late father of British PM David Cameron, Vladimir Putin, and many others.

So far, the ICIJ says, 140 politicians and public officials have been revealed as having offshore holdings, more than 214,000 organisations have been identified, along with many billions' worth of transactions.

Given the vagaries of defamation law, every outlet reporting on the breach including The Register is constrained to note that there are legitimate reasons for using such entities, including estate planning and inheritance rules, so it's unsound to assume that all Mossack Fonseca customers were breaking the law.

It's also feasible that not every individual or company named was fully aware of what was going on, since the ICIJ notes that banks were behind establishing most of the offshore entities.

To date, The Register hasn't seen a strong presence from the tech sector in the staged release of the documents, perhaps because the “Double Irish Dutch Sandwich” tactic favoured in this business works without hiding companies' links to their international associates. ®

Sponsored: Minds Mastering Machines - Call for papers now open


Biting the hand that feeds IT © 1998–2018