This 2016 leak meant a 6-month investigation in addition to record-breaking fines from the BVI.
The Financial Services Commission (FSC imposed a $440,000 administrative penalty against Mossack Fonseca’s operations in the British Virgin Islands. They cited 8 breaches of code including failures in due diligence and identification procedures at the firm. The 6-month investigation included on-site compliance inspections and installing an officer to monitor Mossack Fonseca’s operations in the BVI.
When most people think of data breaches, it’s in the context of retailers. Yet in 2016, law firm Mossack Fonseca & Co. had a huge leak that led to the firm incurring major fines from the Financial Services Commission or FSC in the British Virgin Islands and eventually shutting down. What happened?
Mossack Fonseca’s British Virgin Islands operations were found to be in breach on eight counts, including lack of due diligence and risk assessment failure. The FSC hit Mossack Fonseca with a fine of $440,000, which was the most significant punishment yet at the time in the British Virgin Islands.
Keep reading for a succinct recap of Mossack Fonseca’s data breach, including more on how it happened, who it impacted, and what can be learned from such a major scandal.
Who Is Mossack Fonseca?
Mossack Fonseca, a law firm that was based in Panama, was known for its offshore financial services. Before being embroiled in a series of controversies, they were the fourth best-known offshore firm. Founded in 1977 by Jurgen Mossack, the other directors included Ramon Fonseca and Christoph Zollinger.
The first controversy Mossack Fonseca was involved in was a money laundering scheme in Argentina back in 2014. A hedge fund subpoenaed the company, claiming Mossack Fonseca had made shell companies just to send government money to an Argentinian businessman named Lazaro Baez.
One year later, in 2015, Mossack Fonseca was accused of tax evasion and money laundering in Germany. Undoubtedly though, the firm’s biggest controversy–and what inevitably led to its end–was in 2016, in what has since been dubbed the Panama Papers.
What Happened?
Suddeutsche Zeitung, a newspaper in Germany, published an article on April 3rd, 2016 that ratted out Mossack Fonseca. The article pertained to confidential documents, 11.5 million in all, from Mossack Fonseca that had gotten into the hands of the newspaper’s writers.
The documents were called the Panama Papers due to their origin and had a history dating back to the beginning of Mossack Fonseca’s founding in the 1970s to the present. Mossack Fonseca’s employees had frequently relied on tax havens, using these to squirrel away billions of dollars at a time.
The German newspaper staff said they had received the Panama Papers anonymously, and that the data comprised 2.6 terabytes. Suddeutsche Zeitung worked with the International Consortium of Investigative Journalists, or the ICU, to better make sense of all the data they held.
Mossack Fonseca immediately fired back, saying that the information wasn’t representative of their services or their history. On the same day, the Panama Papers were announced in Germany, Mossack Fonseca wrote to all its clients that its email server had been hacked and that that’s how the data breach had occurred.
Apparently, Mossack Fonseca hadn’t prioritized their information security, as their tools were either outdated or not very good. This made it quite easy for the law firm’s information to be leaked. Police from Salvador, Peru, and Panama were soon knocking on Mossack Fonseca’s door to raid the law firm’s offices.
What Were the Consequences?
The Panama Papers were significant leaks. Besides letting officials know what Mossack Fonseca had been doing with its money for decades, the papers also included such information as:
- Which shell corporations Mossack Fonseca operated
- Public officials’ financial information
- Wealthy citizens’ financial information
The people whose financial information was leaked ranged from organized crime syndicates to business people, media personalities, sports stars, and government officials. Some of these include Jordan’s former prime minister Ali Abu al-Ragheb, former president of Argentina Mauricio Macri, Guatemala-based drug trafficker Marllory Chacon Rossell, Venezuelan pastor Javier Bertucci, US-based billionaire Igor Olenicoff, and actor Emma Watson.
As you can imagine, the implications in the Panama Papers were huge. People all over the world in all sorts of roles, including some that were meant to stay private, were now leaked to anyone and everyone.
This wasn’t the first time Mossack Fonseca had created shell corporations, as they had also been implicated in doing the same in 2014. Shell corporations are those without employees that can be used for intellectual property or for registered asset ownership. In all, Mossack Fonseca had 240,000 shell companies that were reported in the Panama Papers. Most of these had British Virgin Islands incorporation.
The British Virgin Islands decided to fine Mossack Fonseca for the leaked data in the Panama Papers through the FSC. The fine amounted to $440,000, which was the most money the territory had ever fined anyone.
The fine was based on what the British Virgin Islands found were eight significant breaches per its Regulatory Code and Anti-Money Laundering and Terrorist Financing codes. Some of these breaches include:
- Lack of compliance checks
- Lack of keeping current customer records
- Lack of customer due diligence
- Lack of risk assessment on transactions and customers
- Lack of identification procedures
The investigation into Mossack Fonseca and the Panama Papers took six months to complete. Officers visited Mossack Fonseca’s British Virgin Islands offices to oversee operations. The firm also underwent onsite compliance inspections during the time of the investigation.
Although the fine the British Virgin Islands issued was massive, many experts at the time felt it was too little, too late. Mossack Fonseca was still allowed to operate even after the publication of the Panama Papers and being slapped with such a huge fine.
However, the law firm wouldn’t be in operation for long. Its name had been tarnished before, but it was hard for anyone to have trust in Mossack Fonseca now after the publication of the Panama Papers. By March 2018, the firm shut down and has not operated since.
What Was Learned?
Data breaches can happen to anyone at any time, as the Mossack Fonseca case proved. When you give your information–be that your name and address or even your financials–to another business, you’re always at risk of that business being hacked and the information being leaked.
In the case of the Mossack Fonseca, the effects of the leak were far-reaching. The Panama Papers didn’t implicate everyday citizens in this case, but rather, elected officials, million-dollar athletes, and actors and celebrities. Those whose names were published in the Panama Papers had to do major damage control on their own reputations for being affiliated with Mossack Fonseca.
The law firm itself also went under because its own reputation died an utterly brutal death after the publication of the Panama Papers.
Here are a few takeaways and lessons to be learned from the Mossack Fonseca data breach:
- If you’re a business protecting other people’s personal data, always make sure your software is up-to-date. Every few months, you or an IT professional should test for vulnerabilities. Try to make your security system as rock-solid as possible so it’s more difficult for hackers to get into.
- If you’re a consumer thinking of sharing your personal information with any business, do your own due diligence. For Mossack Fonseca, the writing was on the wall. The company already had several strikes against it using some of its same old tricks, such as creating shell companies and engaging in money laundering. If the company you want to sign up with has a nefarious history, steer clear.
- In the case of a breach, always let the customers know right away. This is the only thing Mossack Fonseca did right, but it was probably more to cover their own hides than protect its huge range of clients.
- Use a defense system like Noftek, which could have prevented such a massive, significant breach.