So far no one seems to have commented on how come the damaging documents from Mossack Fonseca got leaked in the first place. While of course we are all glad they did, except of course those rich, powerful and/or corrupt few, but from a security perspective this is probably one of the most monumental and spectacular cock-ups in world digital history. It is only the real world implications that has distracted everyone from the fact that a bank managed to leak so much information about its clients, which of course is a scandal in its own right. 11.5 million documents leaked is quite a scoop by any measure.
So this scenario raises a whole bunch of security questions. On the one hand if the Mossack Fonseca had the right technologies in place then the leak could not have happened. Basic access control would have reduced the risk, although no doubt this would have been an inside job, so whoever leaked the documents would probably have had legitimate rights to access them. But DLP (Data Loss Prevention) solutions could probably have identified and blocked such a leak by preventing the data transfer whether over a network or onto a removable device or media. Many DLP solutions monitor and alert but don’t actually block, so it may be that the leak was spotted but by then it would have been too late. DLP solutions often can block data transfers but its difficult to arrange without causing “false positives” thereby getting in the way of legitimate business. That said in this situation just the shear volume of data and its unusual nature should have been enough to cause the transfer to be blocked. Clearly not…
If DLP didn’t block it then IRM or eDRM (Information or Enterprise Digital Rights Management) solutions almost certainly could have. The documents would have then been encrypted so that only legitimate users could access them. Even if the horse had already bolted with IRM it is possible, using the right solution, for the documents to be killed remotely. As soon as the leak had been identified the leaked documents would become only so much digital junk, preventing the rest of the world from digging into this rich pool of damning information. Again clearly this didn’t happen but then that is less of a surprise as many organisations are slow in adopting these technologies.
On the other hand, like the recent storm regarding Apple refusing to give the FBI access to personal phone data, should world governments have the right to access such information, despite an organisations best efforts to conceal it? Is the application of DLP or IRM potentially dangerous in this situation by preventing appropriate scrutiny or whistle blowing? Well in our view no, not really. First off there clearly wasn’t the regulatory process in place, so no one was looking to analyse the contents of these documents in the first place. Secondly appropriate fraud detection should be working at the level of the financial transactions; being able to process big data and analyse the flow of data (or rather cash) to identify abnormal patterns. In short these findings could have already been known by the authorities if the transactional data was available and analysed in the right way. (And let’s be honest, none of this is a surprise to anyone anyway!) With financial and telecommunications information combined, authorities should have a pretty good idea where they should be looking for all kinds of criminal threats; without it having to be handed to them on a plate. Customers have a right to privacy. Authorities on the other hand need to work on the global financial systems that transfer funds so that more information is available to them about the nature of the transactions. Personal and corporate wealth does not appear spontaneously.