Mossack Fonseca is a law firm based in Panama and is the center of the data breach dubbed “the Panama Papers”. The Panama Papers is a truly massive breach – a reported 2.6 Terabytes. To put that in perspective, the recent Sony data breach was 230Gb, just 10% of the Panama Papers leak. We’ll leave the details of the personal scandals that resulted from this mega-breach to other forums, but suffice it to say that prime ministers from more than one country are being scrutinized / removed because of this breach.
So what made this breach possible? The fact that the website from which the breach occurred was (and is) running both WordPress and Drupal caught our attention. It turns out that, among other outdated software on their site (both Drupal and WordPress core versions were out of date), according to the well-regarded WordPress developer of WordFence (a WordPress security program that we know and love), Mossack Fonseca was running an outdated version of the popular WordPress slider plugin – Revolution Slider. The outdated version of the plugin had an exploit that is very well known in WordPress circles, and multiple patches and new versions had been released since the exploitable version was installed. To exploit the site with that vulnerability present would be very easy – there are cookbook style instructions on how to do it all over the internet. Most likely, the exploit was achieved by a bot and not even a human being.
So how could this have been avoided? WordPress maintenance of the site would have done it. However, because of the way that Revolution Slider updates were posted at that time, someone clicking through the administrative side of WordPress and updating plugins by looking for an “update” link would not have been alerted that the plugin needed an update (Revolution Slider has since changed that and does alert the user to the need for an update). The person would have had to know that the plugin required an update by visiting the Revolution Slider website or reading one of a zillion security briefs that were issued on that very topic.
Had the Mossack Fonseca site been maintained by a professional firm, or even by someone who was monitoring the largest exploits in the WordPress world, it would have been updated and the Panama Papers most likely would never have occurred. There are many other things that were not up to par about the way that the Mossack Fonseca site was set up, but a poorly maintained site that houses important private information is simply not acceptable in the modern world.
Hopefully the rest of us can be so wise as to learn from this mistake.