It’s mostly been referred to in headlines as a ‘leak’ rather than a ‘hack’ for a start. An entirely accurate description, admittedly, but it certainly underplays the role of the data thief.
The focus, of course, is on the public figures – the Queen, Tory donor Lord Michael Ashcroft and Canadian Prime Minister Justin Trudeau – who have squirreled away millions of dollars into offshore bank accounts. Bono’s presence is particularly delicious for those who see his philanthropy as ostentatious and hypocritical.
By contrast, the Guardian used the words ‘stolen’ and ‘cybersecurity’ in the opening sentence of its report of the Equifax hack.
The Telegraph – hardly the scourge of the super-rich – relegated the security dimension to a secondary role, saying in the first sentence that “the 13.4 million files [obtained] show the complex financial dealings of the super-rich and major global corporations.”
In other words, it is the contents of the information stolen that is of interest, not the criminality of the hack.
There is a sense with this breach, and in many similar scenarios, that the hackers have a public interest defence – in the minds of the public, if probably not in the view of the courts.
When 143 million ordinary Americans had their personal information compromised during the Equifax hack, nothing but sympathy is forthcoming. But sympathy is in short supply in this case.
Living with stagnating incomes and severe cuts to public services since the 2009 crash, the public is in mood to sympathise with tax-dodging billionaires.
The hack is a reminder that cybercrime is sometimes motivated by loftier aspirations than making money
The case shows how perceptions of morality and criminality do not always converge. The hackers were unequivocally committing a crime as they exposed financial activities that probably weren’t illegal in many or all cases (that remains to be seen).
Should the hackers ever be apprehended – which is far from probable – they will probably be cheered as they enter court.
The hack is a reminder that cybercrime is sometimes motivated by loftier aspirations than making money (although that is the principal driver in most cases). As well as doing it for the sheer thrill, hackers also steal data or take down websites to expose injustice, for political ends or even to redistribute money Robin Hood-style.
And if you want to take on The Man, then hacking is a highly appealing way of doing it: the impact can be profound (as the Paradise Papers case shows), the chances of getting caught are fairly low, you needn’t risk encountering physical violence and you don’t have to leave your home to do it.
“You used to have to sneak into offices to leak documents. You used to need a gun to rob a bank. Now you can do both from bed with a laptop in your hand,” wrote Robin Hood hacker ‘Phineas Fisher’ in his ‘DIY Guide to Hacking.
“No amount of cyber insurance, data back strategies, nor business continuity planning can ever put this genie back in the bottle.” Mark Sangster, VP, eSentire
“The parallels of Paradise Papers to last year’s Panama Papers breach are obvious,” said Mark Sangster, VP at cybersecurity company eSentire. “However beyond the shock factor of the leaked data itself, what’s more alarming is the depth and magnitude of this breach.
“Law and accounting firms should raise the alarm when it comes to their firm’s cybersecurity rigour.
“Panama Papers may have been opportunistic. However it laid a blueprint for these kinds of attacks.
“It has shone a spotlight on tax operations in the Caribbean, and while the mechanics of the breach itself have yet to be revealed, this was clearly a targeted attack. Appleby took appropriate response steps in notifying their clients, but you can’t insure this.
“This class of events demonstrates why law firms must protect their clients’ confidential information. No amount of cyber insurance, data back strategies, nor business continuity planning can ever put this genie back in the bottle.
“Law and accounting firms are particularly susceptible to ethical hacking and really, every firm should assume they’ll be breached, because they will be breached. These firms house a treasure trove of sensitive data that when compromised can result in sometimes irrecoverable damage. ”
Ilia Kolochenko, CEO of cybersecurity firm High-Tech Bridge, said: “Seems that this is another major hacking case where intruders won’t be found and prosecuted. Notwithstanding the allegations of wrongdoing offshore, a crime cannot be justified by investigation of unlawful activities. Victims should explore various legal avenues to claim damages, which may be quite significant.”
In an email sent to its clients, Appleby, the law firm whose data was breached, admitted that the hack on their servers occurred in October 2015. By the time the breach was spotted in May 2016 the files had already been accessed several times.
Said Kolochenko: “Law firms have become a very attractive target for cybercriminals. Hacking of their clients is quite costly, will likely be detected and investigated, and almost certainly will cause very serious counter-actions.
“Many law firms still carelessly rely on the law for data protection, but this is in vain. Paucity of financial resources and lack of qualified personnel preclude law enforcement agencies from investigating and prosecuting the vast majority of crimes committed in digital space.
“This creates a very dangerous atmosphere of unlawfulness and impunity in the Internet, undermining trust in the government and its ability to protect our society.
“It may be a good moment to think about imposing obligatory data security standards on law firms and practicing attorneys. Their data deserves at least the same level of protection as data of companies under PCI DSS or HIPAA compliance. Otherwise, visiting attorneys will become a very risky practice.”
In a statement Appleby said: “Appleby has thoroughly and vigorously investigated the allegations and we are satisfied that there is no evidence of any wrongdoing, either on the part of ourselves or our clients.
“We refute any allegations which may suggest otherwise and we would be happy to cooperate fully with any legitimate and authorised investigation of the allegations by the appropriate and relevant authorities. Having researched the ICIJ’s allegations we believe they are unfounded and based on a lack of understanding of the legitimate and lawful structures used in the offshore sector.”
Premier of Bermuda David Burt said: “We maintain high vigilance on any and all criminal activities, including cyber, as well as requiring leading standards on tax and transparency of all who do business here. We will not tolerate non-compliance in any of these areas, and are reviewing this incident and related matters, and will take any further action as required.”
