Founded in 1977 by Jurgen Mossack and Ramon Fonseca, Mossack Fonseca had been perched at the top of offshore legal services providers until April 2016, when it became ground zero for a global controversy because approximately 11.5 million of the firm’s internal legal and financial documents were leaked to the media. These leaked documents – publicized primarily by the International Consortium of Investigative Journalists (“ICIJ”) – allegedly reveal a global system of undisclosed offshore accounts, money laundering and tax evasion, and how the rich and powerful around the world use shell companies to conceal assets and possible illegal activity.
The incident is the largest publicly disclosed data breach involving a law firm. Following the April 2016 publication of data, founding partner Ramon Fonseca and other public sources claimed that the firm’s network had been compromised by hackers sometime in 2015. Security researchers and other public sources identified numerous unpatched vulnerabilities in Mossack’s website and email server, which could have been very easily compromised by hackers. Approximately 2.6 terabytes of data – including 4.8 million emails, 3 million database files, and 2.1 million.pdf files – were leaked, including client documents dating back to the 1970s.
The Panama Papers scandal not only sharpened the national and global focus on the general risks of money laundering, tax evasion, and terrorist financing, but it also helped fuel the international critique of the United States as a potential haven for money laundering and tax evasion due to opportunities in the U.S. to form legal entities without having to disclose the entities’ true beneficial owners. The scandal also reminded the world how lawyers potentially can facilitate their clients’ money laundering.
The incident and resulting scandal also illustrates the growing frequency, ease, and potentially devastating consequences of data breaches. Cyber incidents – whether malicious or non-malicious in nature – can threaten even the richest and most powerful people, and the breach of client confidential information held by a law firm can have serious potential legal consequences for both the firm and its affected clients.