While Politicians around the world and specially in Pakistan are busy “point scoring” against each other on basis of revelations in Mossack Fonseca’s Leaks or popularly known as “Panama Papers”, IT Security and data protection experts have just witnessed one of the worst nightmares of data breach that can affect any company around the world.
The staggering, “Panama Papers” data has been attributed to the breach of an e-mail server last year. So much so that Bloomberg says co-founder of Law firm Ramon Fonseca told Panama’s Channel 2 the leaked documents are authentic and were “obtained illegally by hackers”.
The International Consortium of Investigative Journalists (ICIJ), which is coordinating the drip-feed release of information from the leak, says there’s 11.5 million documents and 2.6 TB of data, this is the largest data leak of the past several years – bigger than either WikiLeaks in 2010 or the NSA files in 2013.
It also seems that the method of extracting data, and potentially therefore the person who leaked it, is different too.
While the 2010 and 2013 US military and intelligence leaks were carried out by insiders (Chelsea Manning and Edward Snowden respectively), Mossack Fonseca is blaming this leak on an attack on its email servers, according to Spanish news site El Español.
The website quoted a statement from the company saying it had opened an investigation after discovering that “unfortunately” it had suffered “an attack on its email server” and that it is taking “all necessary measures to prevent this from happening again”.
These include reinforcing its security systems and bringing in specialist consultants to determine exactly what information the “unauthorised persons” have accessed, well for many “ too little too late.”
So far, the ICIJ says, 140 politicians and public officials have been revealed as having offshore holdings, more than 214,000 organisations have been identified, along with many billions’ worth of transactions.
Reports of corporate data breach continue to pass through news headlines with such frequency that they barely merit a time slot in the evening news. However in 2006, as many as 9,300,000 Americans were victims of identity theft. According to the Better Business Bureau, each victim lost on average more than $6,300 and over 40 hours on the phone with creditors and credit bureaus working to clear their names. Businesses suffer greatly as well, losing a collective $50 million each year as a results of data breach.
Pakistan is slowly migrating into the realms of IT and new IT based systems are popping up all over the country that promise to provide the general public with simple services of verifying their mobile sims to more complex systems for land records and taxation records.
These systems hold and store Tera bytes of data which includes ID card numbers, name, addresses and other private information of millions of Pakistanis. Now is the need that our IT companies both private and Govt not only focus on developing new systems but also have set standards to ensure data security and privacy.
IT race between KP IT board and Punjab IT board (both Govt Organisations) is leading to IT system development on massive scale however to out shine and outdo each other no attention is paid to IT security and data protection. There is no information to what security standards these IT Systems adhere too and then off course there are no external security audits to check system security and data integrity before they are allowed to go “On Line”.
This latest data breach in Mossack Fonseca makes it clear that data breaches are a pervasive problem for most organizations in the world today. Yet, despite negative repercussions in terms of cost outlays and reputation diminishment, many companies do not take appropriate steps to prevent data breach, or to prepare for and mitigate the risks when the inevitable occurs.
Pakistan IT ministry should step in and a standard policy should be implemented that all systems developed for Govt institutes and public service should adhere to data security standard like PCI DSS or ISO270001 and will only be allowed to “Go Live” once they have been tested and audited on these standards.
It is the need of hour that we should take “data and information security” out of flashy seminars and useless workshops and make it an integral practical part of System development standards being practiced up and down the country, else it is possible that one day we Pakistanis will wake up with our data being published on some hacker’s board.