As you may know, the Panama Papers leak included millions of confidential documents detailing information about hundreds of thousands of offshore companies. The source of the leaked documents has been tracked to Mossack Fonseca, a Panamanian law firm who is a “leading global provider for legal and trust services”.
What you may not know is that their website was ground zero for the leaked documents. Mossack Fonseca runs their websites on WordPress and Drupal — two of the most popular CMS systems in the world. And they ran those systems without considering their ongoing security; they did not have an upgrade plan or security firewall in place.
As information continues to come to light, it appears that Mossack Fonseca’s WordPress website was vulnerable via a plugin from 2013 called Revolution Slider (revslider). The plugin contained a massive vulnerability that exposed Mossack Fonseca’s entire WordPress database to hackers. After gaining access to the WordPress database, hackers were able to access the law firm’s primary email account, where a log of all communications could be found. Additionally, the leak exposed private client documents that were stored on a Drupal website, which had 23 known vulnerabilities at the time of the leak.
The initial security issue seems to stem from a failure to perform basic website maintenance; the website plugin that hackers used to get access had a well-known vulnerability dating back to 2013. Mossack Fonseca went three years without properly updating before finally being hacked.
How Does This WordPress Hack Impact Your Site?
The hack changes nothing; you’re either routinely updating your website to patch vulnerabilities or you’re increasing your vulnerability to cyberattacks.
Basic website maintenance will prevent most hacks. So, if you’re protecting sensitive client information, routine updates are the least you can do. But routine updates won’t stop every hack. That’s why we suggest going beyond the bare minimum to implement a website health and security plan. Pay for security monitoring and vulnerability repairs is well worth the price. Just ask Mossack Fonseca and their clients.