Data Loss Prevention Blog

Endpoint Security Lessons from the “Panama Papers” Data Breach

In light of the massive data breach at the law firm Mossack Fonseca being called “the Panama Papers”, CTOs and CISOs of organizations with confidential and sensitive client information must be lying awake a night thinking “can this happen to us?”

For most organizations, the answer is simple: yes, it can. But fortunately, the risk can be mitigated, and in many situations almost eliminated.

The Panama Papers is a huge trove of leaked documents detailing how a Panamanian law firm, Mossack Fonseca, has helped some of the world's most powerful people set up shell companies capable of concealing vast amounts of wealth. The fallout from the data breach is just beginning, with the resignation of the Prime Minister of Iceland the highest level casualty to date.

The data leak comprised over 4.8 million emails, 3 million database files; 2.2 million PDFs; 1.2 million images; 320,000 text files; and 2,242 files in other formats. If those figures aren’t enough to make you shiver, the total amount of data leaked totaled 2.6 terabytes, which makes Snowden’s 60 gigabyte breach look tiny by comparison.

Although there has been no definitive conclusion in terms of how the data breach occurred, whether it was a malicious outside hacker or a disgruntled insider employee, the size of the breach and types of documents leaked suggest that it was most likely performed by an insider. Moving 2.6 terabytes of data via a network hack is possible, but just not probable. Organizations spend a vast amount of resources in securing their network perimeter against hacks from malicious outsiders as well as monitoring large data egress spikes, so the notion that it was an outside breach is unlikely.

A disgruntled inside employee using a portable device with massive storage capability and fast data transfer speeds is the more likely origin of the leak. The types of files, the size of the files, and the age of some of data (from the 1970s through to present day), all point to an inside job, where a previously trusted employee, with the right network access, decided one day to go rogue and steal all the confidential data in order to “spill the beans” on their employer.

Most security surveys confirm that data leaks caused by insiders, whether malicious or accidental, far outnumber data leaks caused by outside hackers. And if it is true that it was a trusted insider at Mossack Fonseca that stole the confidential client data, most likely from a computer endpoint, then it’s also the case that the company could have stopped the leak before it happened by having implemented endpoint-based data leak protection (DLP) software on their computers.

DeviceLock has been providing the industry’s most trusted endpoint DLP solutions since 1996, and offers endpoint control and data leak prevention software to some of the world’s most security intensive environments that include healthcare organizations, government agencies, defense contractors, pharmaceutical companies, academic institutions, financial firms, and yes, legal firms in over 100 countries.

So, in the case of Mossack Fonseca, if they were running DeviceLock DLP software on their computer endpoints, this data breach would very likely not have happened. We focus on the endpoints, where most inadvertent and malicious data breaches occur; and then provide easy to deploy and configure software solutions that tackle the problem at the leakage source - the endpoint.

With DeviceLock DLP, the organization can make judgments and create rules on data egress based on the transaction channel, context, and most certainly content. Part of that “context” equation is shutting down or mitigating access to data leakage channels while monitoring for content on the data channels that are allowed for by authorized users and groups. A discrepancy, such as an employee downloading a massive amount of information can be flagged, reported, and stopped before any damage can be done. So, DeviceLock protects against both malicious and inadvertent data breaches caused by “trusted” employees.

As we said in a previous blog post, your worst security threat might be your most trusted employee.

If you’d like to trial the DeviceLock DLP Suite for 30 days, please visit our website at: For more information on DeviceLock’s DLP solutions, call us at 925-231-4400 or email to us.sales (at) to talk to one of our endpoint security specialists.