[BreachExchange] The Panama Papers: What does this data breach mean for IT and cybersecurity?

Audrey McNeil audrey at riskbasedsecurity.com
Wed Apr 27 19:22:48 EDT 2016


http://www.itworldcanada.com/blog/the-panama-papers-what-does-this-data-breach-mean-for-it-and-cybersecurity/382655

The Panama Papers were released by a hacker who broke into the servers of
Mossack Fonseca.  So those papers are stolen property. The media does not
seem to mind, but perhaps the members of the IT community should.

Information is our business. People look to us to secure their personal
information, and if my personal data is stolen I certainly expect those who
find it to still respect my privacy.

I once had a neighbour return some credit card statements that I had
erroneously recycled. Apparently they had blown out of the recycle truck
into his yard. He assured me he had not looked at the information on those
statements. I think he was more upset than I was. He handled it all very
well for me.

The CBC recently did a piece they called “The Age of Robin Hood Hackers” on
its flagship national television news program The National. We can
sympathize with Robin Hood or these hackers, but Robin Hood was an outlaw
and people received stolen goods from him. Section 354 of the Canadian
Criminal Code forbids possessing any property or thing obtained by crime.

So if you possess information that was obtained by an illegal hack, should
you go to jail?

Information is a little different than the jewels that Robin Hood was
stealing. If you have information, it does not preclude that the owner can
keep the information, or that others might have gotten the information some
other way that is not illegal.This week the police found many shredded
documents at Mossack Fonseca that were bound for recycling.  Assembling
those pieces would get you the same information as a digital copy. You
don’t even need the copy. You can obtain information just by looking at it.
Most different of all is the fact that Robin Hood can never just give these
jewels back. Distributing information using our digital networks makes a
breach of privacy a permanent worldwide event.

A 2014 RCMP report lists fraud, identity theft and intellectual property
infringements as cybercrimes they need to focus on. This idea of crime
motivated by the “right of the public to know” instead of the usual
personal and monetary motivations is low on their radar. Or it was. You can
bet the high profile people who were impacted by the Panama Papers will add
their weight to the American government who were so impacted by Snowden.

We may secretly hope that private information about bad people gets found
and the truth gets out. But we certainly do not want our own information
posted where others can use it or question us about it. As this kind of
“leak” gets more common, the persecution and the penalties will increase.
So you may not want to be found in possession of stolen information. So
what are you supposed to do the next time someone tries to show you the
Panama Papers? Don’t Look?

I like that there is becoming a set of protocols when a privacy breach
happens. Everyone who is affected is notified. They are told what the
thieves found, and what steps the company is taking and what they as an
individual should take. I’m thinking Mossack Fonseca will have their hands
full doing that.

Can we, as the Information Management community, recommend anything else
that would protect the good guys and not the bad guys?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160427/ce882585/attachment.html>


More information about the BreachExchange mailing list