Biggest Data Leak Ever Exposes World's Most Rich & Powerful

An obscure law firm in Central America is the source of what's being called the largest information leak in history.

Emails and documents reveal how the world's richest and most powerful, from Vladimir Putin to the prime minister of Iceland, hide their business dealings using offshore tax havens and shell companies.

For the past year, hundreds of journalists from around the world secretly analyzed terabytes of data uncovered from Mossack Fonseca, a Panama-based law firm with offices around the world. Their findings were collectively published on April 3td as the Panama Papers.  

How did this all start?

About a year ago, an anonymous source contacted German newspaper Süddeutsche Zeitung with data from Mossack Fonseca, a relatively unknown law firm based in Panama that specializes in creating shell companies. These shell companies are held in countries with strict privacy laws and used to obfuscate business dealings.

Süddeutsche Zeitung partnered with the International Consortium of Investigative Journalists and over one hundred media partners to parse and report on the leaked data. Those media partners include the likes of the BBC and The Guardian.
 
The Panama Papers constitute more leaked data than the Wikileaks Cablegate, Offshore Leaks, Lux Leaks, and Swiss Leaks combined, according to Süddeutsche Zeitung. That makes this data leak the largest in recorded history with:

•    2.6 terabytes of data from Mossack Fonseca's founding in 1977 to December 2015
  
•    11.5 million documents, including email correspondence and legal contracts

•    214,000 shell companies used by 12 country leaders, 128 public officials, and 29 Forbes-listed billionaires 

The wider implications of the Panama Papers have yet to be felt. What's been initially published focuses heavily on money traced back to Russian president Vladimir Putin and Iceland prime minister Sigmundur David Gunnlaugsson. 

Media outlets with access to the Panama Papers will likely publish more of their findings in the coming days and weeks.

Whistleblowing History

When Daniel Ellsberg photocopied and leaked the Pentagon Papers to the New York Times in 1971, those 7,000 pages of top-secret Vietnam War documents represented what was then the biggest whistleblower leak in history—a couple dozen megabytes if it were contained in a modern text file. Almost four decades later, WikiLeaks in 2010 published Cablegate, a world-shaking, 1.73-gigabyte collection of classified State Department communications that was almost a hundred times bigger.

If there’s some Moore’s Law of Leaks, however, it seems to be exponential. Just five years have passed since WikiLeaks’ Cablegate coup, and now the world is grappling with a whistleblower mega-leak on a scale never seen before: 2.6 terabytes, well over a thousand-fold larger.

Recently more than a hundred media outlets around the world, coordinated by the Washington, DC-based International Consortium of Investigative Journalists, released stories on the Panama Papers, a gargantuan collection of leaked documents exposing a widespread system of global tax evasion. The leak includes more than 4.8 million emails, 3 million database files, and 2.1 million PDFs from the Panamanian law firm Mossack Fonseca that, according to analysis of the leaked documents, appears to specialize in creating shell companies that its clients have used to hide their assets.

“This is pretty much every document from this firm over a 40-year period,” ICIJ director Gerard Ryle told WIRED in a phone call, arguing that at “about 2,000 times larger than the WikiLeaks state department cables,” it’s indeed the biggest leak in history.

The source warned that his or her 'life is in danger,' was only willing to communicate via encrypted channels, and refused to meet in person.

Neither the ICIJ nor any of the reporters it’s worked with have made the leaked data public. But the scandal resulting from their reporting has already touched celebrities, athletes, business executives and world leaders. The documents trace $2 billion of hidden money tied to Vladimir Putin through accounts held in the names of family members and his celebrated musician friend Sergei Roldugin. Icelandic Prime Minister Sigmundur Gunnlaugsson is facing demands from the previous Icelandic prime minister that he resign after the Mossack Fonseca documents showed that Gunnlaugsson may have failed to disclose ownership of a stake in certain Icelandic banks under the government’s rules for officials.
 
And the leaks drag FIFA officials back into the news, showing that even an ethics lawyer for the world soccer body had financial ties to another FIFA official already accused of corruption.

But beyond those revelations—and there will likely be more as the reporting around the Panama Papers continues—the leak represents an unprecedented story in itself: How an anonymous whistleblower was able to spirit out and surreptitiously send journalists a gargantuan collection of files, which were then analyzed by more than 400 reporters in secret over more than a year before a coordinated effort to go public.

How  History’s Biggest Leak Was Coordinated

The Panama Papers leak began, according to ICIJ director Ryle, in late 2014, when an unknown source reached out to the German newspaper Suddeutsche Zeitung, which had reported previously on a smaller leak of Mossack Fonseca files to German government regulators. A Suddeutsche Zeitung reporter named Bastian Obermayer says that the source contacted him via encrypted chat, offering some sort of data intended “to make these crimes public.” But the source warned that his or her “life is in danger,” was only willing to communicate via encrypted channels, and refused to meet in person.
“How much data are we talking about?” Obermayer asked.

 “More than you have ever seen,” the source responded, according to Obermayer.

Obermayer tells WIRED he communicated with his source over a series of encrypted channels that they frequently changed, each time deleting all history from their prior exchange. He alludes to crypto apps like Signal and Threema, as well as PGP-encrypted email but declines to say specifically which methods they used. Each time the reporter and source re-established a connection, they would use a known question and answer to re-authenticate each other. “I’d say ‘is it sunny?’ You’d say ‘the moon is raining’ or whatever nonsense, and then both of us can verify it’s still the other person on the device,” Obermayer says.

After seeing a portion of the documents, Suddeutsche Zeitung contacted the ICIJ, which had helped to coordinate previous tax haven megaleaks including a 2013 analysis of leaked offshore tax haven data and another leak-enabled investigation last year that focused on assets protected by the Swiss bank HSBC. ICIJ staff flew to Munich to coordinate with Suddeutsche Zeitung reporters.

Meanwhile, the shipments of leaked data continued piecemeal. “Over time we got more and more until we had all 11.5 million documents,” Ryle says. Obermayer declined to explain how their leaker sent Suddeutsche Zeitung hundreds of gigabytes or even terabytes of information at a time. That’s far too much to send over email, of course, though that quantity of data could easily be sent anonymously in the form of shipped encrypted hard drives. “I learned a lot about making the safe transfer of big files,” Obermayer says elliptically.

We’re not WikiLeaks. We’re trying to show that journalism can be done responsibly.

The ICIJ’s developers then built a two-factor-authentication-protected search engine for the leaked documents, the URL for which they shared via encrypted email with scores of news outlets including the BBC, The Guardian, Fusion, and dozens of foreign-language media outlets. The site even featured a real-time chat system, so that reporters could exchange tips and find translation for documents in languages they couldn’t read. “If you wanted to look into the Brazilian documents, you could find a Brazilian reporter,” says Ryle. “You could see who was awake and working and communicate openly. We encouraged everyone to tell everyone what they were doing.” The different media outlets eventually held their own in-person meetings, too, in Washington, Munich, London, Johannesburg and Lillehammer, Ryle says.

Remarkably, despite all that broad access and openness, the full leaked database has yet to leak to the public—perhaps in part because it’s so large and unwieldy. Obermayer admits that rumors of the massive leak spread, but says that the data itself remained contained. “Last fall I was really nervous, thinking ‘a lot of people know,'” he says. “Word leaked out at places. But it never got further.”

Ryle says that the media organizations have no plans to release the full dataset, WikiLeaks-style, which he argues would expose the sensitive information of innocent private individuals along with the public figures on which the group’s reporting has focused. “We’re not WikiLeaks. We’re trying to show that journalism can be done responsibly,” Ryle says. He says he advised the reporters from all the participating media outlets to “go crazy, but tell us what’s in the public interest for your country.”

Weeks before contacting the subjects of the investigation, including Mossack Fonseca, Obermayer took one final precaution: he destroyed the phone and the hard drive of the laptop he’d used for his conversations with the source. “This may have seemed a little overachieving,” he notes, “But better safe than sorry.”

He notes that even now, he doesn’t know who the source actually is. “I don’t know the name of the person or the identity of the person,” Obermayer says. “But I would say I know the person. For certain periods I talked to [this person] more than to my wife.”

A New Era of Mega-leaks

The leaks are bound to cause ripples around the world—not least of all for Mossack Fonseca itself. The firm didn’t respond to a request for comment from WIRED, but it wrote to the Guardian that “many of the circumstances you cite are not and have never been clients of Mossack Fonseca” and that “we have always complied with international protocols … to assure as is reasonably possible, that the companies we incorporate are not being used for tax evasion, money laundering, terrorist finance or other illicit purposes.” Another letter posted to WikiLeaks’ Twitter feed, meanwhile, purports to show how the firm has responded to its own clients:

Mossack Fonseca and its customers won’t be the last to face an embarrassing or even incriminating mega-leak. Encryption and anonymity tools like Tor have only become more widespread and easy to use, making it safer in some ways than ever before for sources to reach out to journalists across the globe. Data is more easily transferred—and with tools like Onionshare, more easily securely transferred—than ever before. And actual Moore’s Law continues to fit more data on smaller and smaller slices of hardware every year, any of which could be ferreted out of a corporation or government agency by a motivated insider and put in an envelope to a trusted journalist.

The new era of mega-leaks is already underway: The Panama Papers represent the fourth tax haven leak coordinated by the ICIJ since just 2013. The Intercept, the investigative journalism outlet co-founded by Glenn Greenwald, Laura Poitras and Jeremy Scahill, has also shown how encryption tools can be combined with investigative journalism to yield leaks like last year’s Drone Papers and a collection of 70 million prison phone call records. Dozens of media outlets, including the Intercept, now host anonymous upload systems that use cryptographic protections to shield whistleblowers. 
All of that—unfortunately for companies and governments trying to keep hold of their dirty data, but fortunate for public interest—means that the widening pipeline of leaks isn’t likely to dry up any time soon.

Business Insider:      Wired:

 

 

« 27% Of Known Malware First Appeared In 2015
WhatsApp Implements Encryption »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

FT Cyber Resilience Summit: Europe

FT Cyber Resilience Summit: Europe

27 November 2024 | In-Person & Digital | 22 Bishopsgate, London. Business leaders, Innovators & Experts address evolving cybersecurity risks.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

IPCopper

IPCopper

IPCopper specializes in network packet capture appliances for cybersecurity, cybersurveillance and network monitoring, and encrypted data storage.

Airbus Cybersecurity

Airbus Cybersecurity

Airbus CyberSecurity is a European specialist in cyber security. Our mission is to protect governments, military and critical national infrastructure enterprises from cyber threats.

ISC2

ISC2

ISC2 is an international, non-profit membership association for information security leaders. Our information security certifications are recognized as the global standard for excellence.

Sumo Logic

Sumo Logic

Sumo Logic simplifies how you collect and analyze machine data so that you can gain deep visibility across your full application and infrastructure stack.

GovCERT Austria

GovCERT Austria

GovCERT Austria is the Austrian Government Computer Emergency Response Team. Its constituency consists of Austria's public administration.

Cyber Security Academy (CSA)

Cyber Security Academy (CSA)

The CSA aims to educate professionals who wish to contribute to strengthening the digital defensibility of states, organisations and individual citizens.

Thomsen Trampedach

Thomsen Trampedach

Thomsen Trampedach offers a tailored-made brand protection solution to each customer using a proprietary enforcement automation and reporting tool and a multilingual enforcement team.

Sectra Communications

Sectra Communications

Sectra successfully develops and sells cutting-edge solutions in the expanding niche segments of medical IT and cybersecurity.

DDLS

DDLS

DDLS is Australia's largest provider of corporate IT, process training and cybersecurity training courses and certification programs.

Scythe

Scythe

SCYTHE is a next generation red team platform for continuous and realistic enterprise risk assessments.

Socure

Socure

Socure’s identity verification increases auto approval rates, reduces false positives and captures more fraud. In real time.

BridgingMinds Network

BridgingMinds Network

BridgingMinds Network is an industry leading best practices and IT security training provider in Singapore.

Center for Information Technology Policy (CITP) - Princeton University

Center for Information Technology Policy (CITP) - Princeton University

The Center for Information Technology Policy at Princeton University is a nexus of expertise in technology, engineering, public policy, and the social sciences.

Drata

Drata

Drata is a security and compliance automation platform that continuously monitors and collects evidence of a company's security controls, while streamlining workflows to ensure audit-readiness.

SGTech

SGTech

SGTech is the leading trade association for Singapore's tech industry, offering focused support and development to both strategic and emerging sectors in the industry.

Schillings

Schillings

Shillings defends your rights to privacy, reuptation and security. We fight passionately against breaches of your privacy, attacks on your reputation and threats to your security.