21 February 2019
There are many ways hackers can access firms' client data, so companies need to be watchful and put in place data security systems. Photos: Reuters, Bloomberg
There are many ways hackers can access firms' client data, so companies need to be watchful and put in place data security systems. Photos: Reuters, Bloomberg

Panama Papers leak reminds us about information security risks

On April 5, Panama-based law firm Mossack Fonseca suffered the massive leakage of millions of documents, some of which concerned hard-to-trace offshore assets of political leaders and business elites.

The Panama Papers have dominated newspaper headlines.

The incident has stoked concern about the security flaws at the heart of the leak.

Law firms, corporate service organizations and investment companies all sit on large piles of confidential documents and customers’ data.

They can easily become targets of hackers.

That could cause heavy losses and injured reputations for the companies.

In fact, the Panama Papers is just the tip of an iceberg of data leakage around the world.

There were numerous similar data leaks last year and in the first quarter of this year, from retailers, banks, hotels, payment systems or even government agencies.

However, most of these leaks have yet to be revealed.

Mossack Fonseca did not disclose what caused its data leak.

It found that all day-to-day communications between the law firm and its clients take place on an online e-commerce platform for payment processing, information flows, enquiries, online applications and so on.

The platform is linked to an internal database that contains all the clients’ information.

Hackers might steal information via installing malware at the user end.

When the user linked to the website, the hackers could steal massive client data from the system linking the user platform to the internal database.

Also, hackers could send fraudulent emails to clients, pretending to be customer service staff.

When a client opens an attachment in the email, the malware would be installed in the client’s mobile device or computer, and the hackers could obtain the administrator’s user ID and password to log in to the website and download client information.

Hackers could also find a zero-day vulnerability, a loophole in software unknown to its developer, in the system and steal directly from the database.

Nevertheless, companies still have solutions available at some cost to reduce the risk of information leakage to the minimum.

Nowadays, data security faces threats and challenges all the time.

It’s not enough to just rely on IT or information security teams.

Companies have to mobilize all personnel within the organization and deploy more resources in upgrading the IT infrastructure and operating model.

Generally speaking, it is suggested that companies enhance detection, identification and protection to mitigate the risk of data leaks.

It will not be easy.

US banking giant JPMorgan Chase & Co. suffered a 2014 data breach associated with over 83 million accounts.

It was discovered that the hacker had worked for the bank for many years.

A multinational corporation like JPMorgan, which employs several hundred information security professionals, suffered one of the most serious intrusions ever by a hacker. What about ordinary firms?

All companies should strengthen the inspection and analysis of internal threats, detecting zero-day vulnerabilities in their software and collecting and analyzing more data to maintain information security.

This article was written by Pang Ming-kai and appeared in the Hong Kong Economic Journal on May 20.

Translation by Julie Zhu

[Chinese version 中文版]

– Contact us at [email protected]


Young Accountants Association of Hong Kong

EJI Weekly Newsletter

Please click here to unsubscribe