The Panama Papers - How were they hacked?

The Panama Papers. The largest data leak in history. How did such a massive breach occur on a law firm dealing with high profile politicians, celebrities, and sports stars? Was it a sophisticated attack? Did it require months of planning and a super smart secretive hacker team? The truth is a shocking negligence to manage IT basics. In most cyber-security breaches, the attack vector is actually a known vulnerability. In the case of Mossack Fonseca, the firm where the data was pulled from, a hacker would have had a wide range of vulnerabilities to choose from. As noted in this wired article, their exchange server hadn't been patched since 2009, their corporate portal was very poorly configured and was also not being securely maintained. Mossack Fonseca has confirmed that this attack, was not an inside job and that the likely attack vector was through the poorly maintained Exchange server. Their corporate portal hadn't been updated in months and the configuration allowed you to browse the backend folders if you guessed a folder name. Small and mid-size businesses often do not give sufficient thought to what would happen in the event of a security breach on their infrastructure. In some cases they do not believe they are at risk as a target, others simply do not understand the level of risk that is presented. It's shocking that the law firm at the center of the Panama papers was not more aware of the risk being presented by their lack of due-diligence in managing their IT infrastructure. A law firm deals with a laundry list of private information and not taking effective action to defend that information is inexcusable. Businesses that are mindful of their security risk, often think too big about their needs. As demonstrated by the Panama papers, the risk is often much more elemental than people think. Having sophisticated intrusion detection, advanced digital rights management, and encryption doesn't address a simple issue like patching your systems regularly. It's like installing laser trip wires and steel reinforced doors on your house, but leaving the garage door open. Fancy measures won't protect you when you ignore the basics.