Did an old WordPress site enable Panama Papers leak?

There has been a fair amount of speculation that the #Panamapapers leak about tax havens and private trusts may have been at least partially enabled by old versions of WordPress and Drupal which are being used by Mossack Fonseca, the Panamanian law firm.

( Note: I have removed links to theme & js files.)

Sarah Gooding writes at WP Tavern:

“While looking at the site today, I found that the firm’s WordPress-powered site is currently running on version 4.1 (released in December 2014), based on its version of autosave.js, which is identical to the autosave.js file shipped in 4.1. Since that time WordPress has had numerous critical security updates.

The main site is also loading a number of outdated scripts and plugins. Its active theme is a three-year-old version of Twenty Eleven (1.5), which oddly resides in a directory labeled for /twentyten/.

The Mossack Fonseca client portal changelog.txt file is public, showing that its Drupal installation hasn’t been updated for three years. Since the release of version 7.23, the software has received 25 security updates, which means that the version it is running includes highly critical known vulnerabilitiesthat could have given the hacker access to the server. This includes a 2014 SQL injection vulnerability known in the Drupal community as “Drupalgeddon,” which affected every site running Drupal 7.31 or below.

Investigators have not confirmed if the open source software vulnerabilities were used to access the data, but it is certainly plausible given the severity of the vulnerabilities in both older versions of WordPress and Drupal.”

Full story at Outdated and Vulnerable WordPress and Drupal Versions May Have Contributed to the Panama Papers Breach

It is possible that the breach was of the email server as reported in this story. Panama Papers stolen by hackers, says Mossack Fonseca

“Despite there being no mention of a hack in the law firm’s statement in response to media coverage of the issue, a screenshot posted on Twitter by WikiLeaks indicates that Mossack Fonseca clients were told the company was investigating an “unauthorised breach” of its email server.”

Of course as yet no one knows how the leak happened and for myself I think some public good may come of it. It is probably not as simple as a technology failing – although because of poor security maintenance that seems a likely pathway.

All WordPress users should secure their sites and keep them up to date or retain a service to do that for them.

If the law firm in question was actively helping individuals, trust and other entities to evade tax then that is a separate issue. New Zealand trust law gets a dishonourable mention in that regard.

Raybon Kan in Welcome to NZ – 100% Pure tax haven has the best take on this.

“Foreign trusts are protected by centuries of legal tradition, of rich people hiding wealth that would instantly raise eyebrows. A Russian cellist, for example, somehow has $2 billion dollars. That is a very successful musician. Bono and Keith Richards are probably kicking themselves for not learning the cello. No doubt in Russia, demand for cello lessons has gone through the roof. Coincidentally, this cellist is best friends with Vladimir Putin.
If there was a Nobel Prize for lawyers, these lawyers would win it.

Foreign trusts are black holes – invisible, zero-taxed singularities of legal physics.

The difference is, scientists are looking for black holes. Governments don’t want to know about foreign trusts.

Our PM and Tax Minister have both said there’s full disclosure in our foreign trust regime. I think full disclosure means zero disclosure.”

Amazingly in this age of filtered pr pretending to be news and product placement everywhere it is comedians who are often the best people to speak truth to power.

Update: This article suggests that the #Panamapapers leak was over a year ago The Law Firm That Works with Oligarchs, Money Launderers, and DictatorsBy Ken Silverstein December 3, 2014