Founded in 1977 by Jurgen Mossack and Ramon Fonseca, Mossack Fonseca had been perched at the top of offshore legal services providers until April 2016, when it became ground zero for a global controversy because approximately 11.5 million of the firm’s internal legal and financial documents were leaked to the media. These leaked documents – publicized primarily by the International Consortium of Investigative Journalists (“ICIJ”) – allegedly reveal a global system of undisclosed offshore accounts, money laundering and tax evasion, and how the rich and powerful around the world use shell companies to conceal assets and possible illegal activity.
The incident is the largest publicly disclosed data breach involving a law firm. Following the April 2016 publication of data, founding partner Ramon Fonseca and other public sources claimed that the firm’s network had been compromised by hackers sometime in 2015. Security researchers and other public sources identified numerous unpatched vulnerabilities in Mossack’s website and email server, which could have been very easily compromised by hackers. Approximately 2.6 terabytes of data – including 4.8 million emails, 3 million database files, and 2.1 million.pdf files – were leaked, including client documents dating back to the 1970s.
The Panama Papers scandal not only sharpened the national and global focus on the general risks of money laundering, tax evasion, and terrorist financing, but it also helped fuel the international critique of the United States as a potential haven for money laundering and tax evasion due to opportunities in the U.S. to form legal entities without having to disclose the entities’ true beneficial owners. The scandal also reminded the world how lawyers potentially can facilitate their clients’ money laundering.
The incident and resulting scandal also illustrates the growing frequency, ease, and potentially devastating consequences of data breaches. Cyber incidents – whether malicious or non-malicious in nature – can threaten even the richest and most powerful people, and the breach of client confidential information held by a law firm can have serious potential legal consequences for both the firm and its affected clients.
When the Panama Papers scandal broke, the Office of the U.S. Attorney for the Southern District of New York announced an investigation into these matters, as did enforcement agencies in many other countries. Panamanian authorities raided the law firm in both 2016 and 2017, and the firm’s founders were arrested last year in Panama after their indictment on money laundering charges allegedly tied to the Petrobas corruption scandal in Brazil.
In announcing its closure to its clients, the firm cited “reputational deterioration” that has caused “irreversible damage.” Other highlights from the firm’s statement regarding its closure include the following claims (roughly translated from Spanish to English) by Mossack Fonseca, which has cast itself as the law-abiding victim of a massive data breach and smear campaign directed at both the firm and Panama itself.
- The firm’s members fulfilled their duties to their clients “to provide dynamic, innovative and law-abiding service;”
- The firm was a “victim of a cyber attack of global scale,” as well as an ensuing media campaign;
- The ICIJ presented to the world, based on stolen information, an inaccurate portrayal of the services provided by Mossack Fonseca, distorting the nature of the firm’s business and its role in the global financial markets;
- The so-called Panama Papers scandal represented not only an attack on a prestigious firm, but also an effort to attack the entire Panamanian financial system; and
- The firm has asked the authorities to get to the bottom of the theft of their client information, and to resist pressure from some international groups wanting to make Panama less competitive.
You also can follow the latest legal developments in privacy and cybersecurity by subscribing to our blog, CyberAdviser.