The International Consortium of Investigative Journalists published the first wave of stories from the Panama Papers on Sunday (icij.org/investigations/panama-papers). The source — described as "John Doe", whose anonymous manifesto was published yesterday by Süddeutsche Zeitung (sueddeutsche.de John Doe statement, May 6) — leaked 11.5 million documents from Mossack Fonseca, the Panama-based law firm specialising in offshore-company formation. The document collection runs to approximately 2.6 terabytes, spans the period from the 1970s to early 2016, and includes scanned passports, formation documents, ledgers, internal email, banking correspondence, and the operational records of around 214,000 offshore entities.
The journalism is unprecedented in scale and method. The ICIJ coordinated approximately 370 journalists across 76 countries and over 100 media organisations, all of whom received access to the searchable database under a shared embargo and on a shared infrastructure (Linkurious / Neo4j architecture, Süddeutsche Zeitung tech post). The processing — OCR, deduplication, entity extraction, and graph construction connecting people, companies, addresses, and intermediaries — required substantial technical work over a year. The story shape is therefore unlike any previous large leak: it is not a single cache published by a hostile actor for maximum disruption (Sony, Ashley Madison, Hacking Team), it is a curated investigative product produced by professional journalists working in cooperation across jurisdictions.
The political consequences have started immediately. The Prime Minister of Iceland, Sigmundur Davíð Gunnlaugsson, resigned on Tuesday after the disclosure of his and his wife's offshore holdings became politically untenable. The Prime Minister of the United Kingdom is under pressure over his late father's offshore fund. The President of Russia features through a network of close associates rather than directly. The President of the Argentine Republic, the King of Saudi Arabia, the Prime Minister of Pakistan, and dozens of other sitting heads of state and senior politicians appear in the documents. The ICIJ has been clear that the appearance of a person in the documents does not, by itself, indicate wrongdoing — offshore companies have legitimate uses, the documents do not establish what the companies did, and the journalism is being done with care to distinguish illegal activity from legal but politically embarrassing activity. That nuance is going to be tested in the coming weeks as the secondary stories run.
The technical interest for me, separately from the substantive content, is in the exfiltration. Mossack Fonseca's statement on Monday described "an unauthorised breach of our email server" (Mossack Fonseca statement, mossfon.com — archived via Wayback April 2016) and the firm has been notably circumspect about further detail. The 2.6-terabyte document collection — including not just email but the firm's document-management system, accounting records, scanned identification documents, and internal communications — appears to have been obtained over a sustained period rather than a single point-in-time exfiltration. Outside reporting has pointed at vulnerabilities in the firm's external-facing services, including a Drupal-based client portal running unpatched versions with known vulnerabilities (Wired analysis on Mossack Fonseca's web infrastructure). I have no inside information beyond the public reporting; the operational hypothesis is that the firm's external posture was inadequate over an extended period, the implant was patient, and the data movement was slow enough to avoid the kind of bandwidth-anomaly detection that a more sophisticated victim would notice.
For the legal-services vCISO portfolio, the immediate operational question is what the Panama Papers tell us about the threat model facing law firms generally. The answer, on the documents, is that law firms hold extraordinary concentrations of sensitive client information, that the operational maturity of legal-sector IT is on average lower than that of financial-services IT, that the perimeter security posture is often vendor-driven and unreviewed, and that the consequences of a leak — for the firm, for the clients, for the wider relationships of trust — are, at the upper end, existential. Mossack Fonseca will likely not survive this. Other firms in similar specialisms may attract the same kind of attention. The current threat-actor landscape includes both criminal actors interested in commercial extortion and ideologically-motivated actors interested in disclosure-as-political-act; the Mossack Fonseca leak appears to be the latter, and the Hacking Team leak from July 2015 was also the latter, and that combination is going to drive the next several years of legal-sector security investment.
For Browne Jacobson specifically, who are an established vCISO client and a substantial UK firm, the conversation at the next quarterly board meeting is going to need to address two things. First, the operational posture of the firm's external services and the document-management system, which is the part of the technical estate that maps directly to what failed at Mossack Fonseca. Second, the firm's internal policies on retention — the documents in the Panama Papers go back to the 1970s, and the long-tail retention of historical client matters is a question that needs deliberate attention rather than benign neglect. Most law firms keep more material for longer than they should, and the leak surface scales with retention.
The wider piece of work I want to do this year is on what John Doe's manifesto raises. The argument — that the offshore industry is a moral failure that requires public exposure regardless of legal consequence — is in a tradition of disclosure-ethics arguments that runs through Manning, Snowden, and now this. The technical security community has, in 2016, a more mature set of opinions about what those disclosures mean than it had in 2010. We are clearer about the harms — Ashley Madison taught that lesson — and we are clearer about the public-interest cases — Snowden produced material that demonstrably changed surveillance policy. The Panama Papers fall, in my reading, on the public-interest side of the line, but the line is not bright, and the cases will continue to come. The conversation about what disclosure ethics looks like in a world where institutions hold massive sensitive datasets and individuals can sometimes copy them is not over. It is barely starting.
There is more to write. Tonight, the practical work — a note to Browne Jacobson, an internal SOC checklist for legal-sector customer estates, and a call with the firm's IT director scheduled for Friday.