Red planet

Don’t Blame WordPress for the Panama Papers Hack

The Panama Papers, the largest data breach in history, shouldn't be blamed on WordPress, Drupal or Microsoft. Amateur IT and lax security, like most cybercrime, are the real culprits.
The Panama Papers, the largest data breach in history, shouldn’t be blamed on WordPress, Drupal or Microsoft.

Panamanian law firm, Mossack Fonseca, lost mountains of data in likely the biggest Internet data breach in history. The contents of the Panama Papers, as well as its sheer volume, was acquired through a series of cyber hacks.

News organizations reported that the hacked websites were WordPress and Drupal. They implied that these two platforms have subpar security. One interview I saw suggested that being open source meant reduced security.

WordPress and Drupal, however, are not to blame for this massive hack. The fact that they are free and open source is definitely not to blame, because the first of three hacks occurred on a platform made by the largest for-profit software company in the world, Microsoft.

Unsecured email started the data breach.

The breach started with Microsoft Outlook server. The company had been using an on-site server for email running software from 2009. They allowed access to the server using a web interface. Email has always been generally considered as insecure, and Microsoft never added encryption to this outdated software.

Today thanks to Google, most email is actually quite secure. Google, Microsoft, and all the big players in email have raised the bar on encryption which provides quite adequate security for most businesses, and probably would have been enough to protect the firm from a random hacker.

It’s likely that the hackers discovered the treasure trove of data via unsecured email. Once they figured out which platforms were being used, hacks for them are easy to find. However, both WordPress and Drupal are updated constantly every time a new exploit is discovered. There are hackers whom specialize in WordPress, trying to crack it specifically to help the community close up loopholes.

Unfortunately, they were using slightly outdated version of WordPress and a three-year-old version of Drupal. We use WordPress (and Drupal on occasion) but our clients rely on us to keep them up-to-date.

Had Mossack Fonseca been clients of Mediastead, we would’ve kept their data secure for $49 a month.

This so-called “hacker” wasn’t a hard-core professional, and was likely someone with basic knowledge of hacking, perhaps a journalist level of knowledge (wink wink).

The law firm created more than 200,000 individual companies specifically to hide money from a variety of government entities for the purpose of stashing billions of dollars out of sight of the taxman.

It reminds me a little bit of “The Firm” by John Grisham. He says if you want to bring down the mob, bring down their lawyers. Apparently it also works when toppling heads of state.

Every month Mediastead patches our WordPress websites with the latest updates. This assures that our client sites continue to function properly, and have the latest security. Occasionally we are alerted to a particularly nasty exploit, and we update every site within 24 hours.

Panama Papers isn’t the largest hack in history.

In terms of data volume and hard target search, the Panama Papers is huge, multiple terabytes of data and millions of documents.

The most prolific hack was a virus called Heartbleed. It infected millions of websites all of them on the WordPress platform. However WordPress had repaired the exploit months before, and the original exploit was discovered by a member of the volunteer community, a network of 20,000 coders that contribute to the open source knowledge bank.

Heartbleed infected lots of websites, but all of them owned by users who didn’t run security updates. The virus came and went and our clients, as well as millions of others that use professional Web service firms, were never impacted.

What have we learned?

  • Originally this was an email hack, not a website hack. The websites were highly targeted attacks.
  • WordPress and Drupal (or even Microsoft) were not to blame. Mossack Fonseca’s IT guy or girl is to blame, and I wouldn’t want to be in their shoes today. They may be made of cement.
  • If you’re going to hide billions from the taxman, at least have the foresight to spend $49 a month to keep your security up to date.

I, for one, am quite happy that a law firm with low scruples also apparently has an IT department with equally low scruples.

I’m also quite glad that, so far, American officials have not been accused. Are we less corruptible? Or do we just have better IT guys?

If you are geeky like us, here’s a good summary of the happenings from a web developer point of view.

Outdated and Vulnerable WordPress and Drupal Versions May Have Contributed to the Panama Papers Breach via WP Tavern


Keeping PACE: Marketing tips and tech news for SMBs