The unprecedented leak of millions of confidential documents from the Panama law firm Mossack Fonseca was most probably caused by a hacker. The origin of the leak has not yet been identified nor do we know exactly how they got in, but some real and possible causes have been clearly recognised as a consequence of a rather loose web security policy by the firm.
Mossack Fonseca is running two websites, the main website and the client information portal, both running on open source content management systems, the first one on WordPress the second one on Drupal.
Open source software is software with its source code made available under a specific license. Open source model is a collaborative development involving multiple independent sources. It generates a great diversity of design perspective and is being constantly updated by the thousands of programmers involved. The updates have two main reasons: technical progress and security. Security vulnerabilities are being constantly patched to stop hackers from exploiting them and causing mischief. An out of date software version is leaving the door open inviting hackers in.
The firm main website is running on WordPress, a popular content management system. The version they were running in April 2016, according to analysis by specialists, was version 4.1, released in December 2014. They were also running an out of date version of Revolution Slider, a plugin to help display content dynamically. Hackers could have gained access via the out of date software and wandered on the server to find the leaked documents.
The other website is the client information portal, ‘a secure online account that enables you to access your corporate information anywhere and everywhere’, using Drupal, another open source content management system. Forbes discovered that, according to Internet records, the firm portal used by customers to access sensitive data was most likely run on a three-year-old version of Drupal, 7.23. That version of Drupal precedes the 7.31 one in which a top security patch was applied. This patch must be applied the day of its release or the website must be considered as being compromised. That could have been another point of entry for the hackers.
All this just goes to show the importance of keeping the software version up to date. This of course concerns particularly professions that deal with sensitive and confidential documents.