Wednesday, 6 April 2016
Good night Vienna for (client) confidentiality
Whoever is the current (or maybe former by now) head of IT / Security at Panama law firm Mossak Fonseca must be wishing nostalgically for the days of typewriters and attractive people reaching for the bottom drawer of the metal filing cabinet.
According to reports the data breach which is by some measurements the largest ever at 2.6 TB of data with documents going back to the 1970's was achieved through a breach of the security on the email server leading to the download of its entire contents. Since 1970 was pre-digital the decision must have been taken to digitize hard documents and add them to the servers.
One might expect a massive download of this type to be picked up by network monitoring systems and therefore it seems likely that the external hackers had some internal assistance - but that is speculation. The alternative is that no network monitoring was occurring which might leave you wondering what the IT dept were up to (other than watching dodgy online content and surfing social media).
As none of the documents were encrypted once breach had occurred it was very much "good night Vienna" both for the clients of Mossac Fonseca and the concept of confidentiality between lawyer and client.
As a broader issue medical records and all other digitally stored content that is not encrypted must now be considered semi-public.
While 3TB may seem large (maybe 10 million docs) portable storage for this can be bought off the shelf for about £115. Any unhappy person in any IT department can simply walk out the door with sensitive data.
The ethics around the actions of Edward Snowden and the hackers involved in the Mossak Fonseca case are not clear cut and unless you are an ends justifies the means merchant they will always be in a grey area.
The key thing to now accept is that the old adage from Benjamin Franklin rings true "Three people can keep a secret, if two of them are dead."