Was The Pandora Papers Incident Preventable? - Security Insights From Fiduciaries Asiaciti Trust And Fidelity

LuxLeaks. Mauritius Leaks. The Panama Papers. The Pandora Papers. – All made international headlines for days or weeks after their release. All ensnared dozens if not hundreds of individuals, families, and businesses — releasing sensitive private records into full public view. Their repercussions continue long after they’ve faded from the headlines.

The Pandora Papers tranche was the largest and farthest-reaching release yet. Revealed in October 2021 by the International Consortium of Investigative Journalists (ICIJ), a group of media professionals working for some 100 organizations in Europe, North America, and Asia, the Pandora Papers contained more than 12 million private records taken from blue-chip financial and legal services firms. These firms serve members of the global elite — high-net-worth individuals and families, including some powerful politicians.

For the most part, these firms were international fiduciaries: Asiaciti Trust, Fidelity Corporate Services Limited, Il Shin, and others. They operated in strict compliance with applicable international financial regulations and ethical standards. They took pains to ensure that they knew where their clients’ funds came from.

IMAGE: UNSPLASH

Yet they still faced swift public backlash from sensational and sometimes inaccurate stories published by the more than 300 journalists — many of whom, while dedicated to their craft, were not subject matter experts — working with the ICIJ. While the reputational damage can’t easily be undone, those affected have reason to ask: Could it have been prevented?

This is a challenging question to answer because the origins of the Pandora Papers remain murky and may never be fully understood. But we can use what we know about this and similar large-scale data incidents to evaluate plausible explanations. Perhaps more importantly for organizations concerned about their own cyber vulnerabilities, we can take a number of broadly applicable lessons from this unfortunate event that could prevent similar outcomes in the future.

Untangling The Forensics – No Evidence Of Compromise

Efforts to expose the origins of the Pandora Papers and the identities of those responsible are complicated by the fact that the very nature of the release remains unclear.

All the public knows is what has been released publicly. This may or may not be the entirety of the information obtained in the incident. If law enforcement authorities know more, they’re remaining tight-lipped for now as the investigation continues.

Some of the affected organizations aren’t waiting for law enforcement to present their findings. They’ve hired private digital forensics investigators to look into the incident and piece together what occurred.

The results of these investigations have been surprising. At least as far as has been publicly disclosed, no one has been able to uncover clear evidence of digital intrusion involving information that later appeared in the Pandora Papers release. If the Pandora Papers were in part or whole obtained via such an intrusion, those responsible did well to conceal their activities.

This is not conclusive proof or disproof of anything. But it does strongly suggest that those responsible for this incident were sophisticated, determined, and disciplined. And it narrows the range of those who could plausibly be responsible, putting the event beyond the capabilities of the vast majority of malicious cyber actors operating today.

We’re left to conclude that the Pandora Papers was the work of a sophisticated and determined cyber force. Unfortunately, this leaves us no closer to identifying that force. We can only speculate.

Was The Pandora Papers An Inside Job?

One possible explanation for this event quickly gained traction in the days following the initial release — that the Pandora Papers was an inside job.

The idea is plausible and appealing to investigators stumped by the lack of evidence of digital intrusion. It’s much easier for actors to cover their tracks when they have valid credentials to access sensitive data and documents and legitimate reasons to seek that information. Even highly capable digital investigators might not be able to prove beyond a reasonable doubt that an insider improperly obtained information from their own employer.

However, the “inside job” theory withers on closer inspection. Yes, the idea is plausible, but it’s highly impractical at the scale of the Pandora Papers. This release contained some 12 million records — that we know about — obtained from more than a dozen organizations. The sheer number of insiders who’d need to participate, and the amount of coordination they’d need to achieve to get what they needed, markedly reduces the likelihood of this theory.

Moreover, the “inside job” concept risks oversimplifying human behavior, which we know to be quite complex and not always rational. It assumes similar motivations on the part of a dense, diverse network of insiders spread across the world. While any given person can choose to “turn” at any given point in time, the likelihood of so many doing so at the same time is low. And if — as is likely — many insiders weren’t ready to “turn” on their own, any organizing or instigating party would need to invest considerable resources and time in influencing their behavior.

This all seems implausible. So let’s table the “inside job” idea and move on. If a complex network of malicious insiders wasn’t responsible for obtaining the records that came to be known as the Pandora Papers, who was?

Who Was Behind The Pandora Papers? – Plausible Explanations

We’ve edged toward the conclusion that the Pandora Papers could not be the work of a coordinated group of insiders. We also have strong evidence that those responsible are highly sophisticated, disciplined, and adept at concealing their activities.

Together, these clues point us toward a few possibilities:

National intelligence agencies. Some observers have argued persuasively that Western intelligence forces, such as the CIA and NSA, participated in the collection of Pandora Papers records — and possibly in the collection of records found in prior releases as well. There’s little direct evidence for this theory but plenty of historical correlation. It’s not a secret that intelligence agencies in the U.S. and elsewhere have formidable cyber capabilities and few reservations about using them to their perceived advantage.
Sophisticated organized criminal networks. Few private entities have state-like cyber capabilities. Most are sophisticated organized criminal networks that target well-defended corporate and government networks for profit or strategic advantage. Such entities could benefit by embarrassing politicians and powerful business interests such as those named in the Pandora Papers.
Rogue states. Western intelligence agencies aren’t the only state entities with the capability and willingness to obtain and release sensitive information. While rogue states’ motivations are less clear, no one doubts their sincerity.

A Grim Success, Regardless Of Who’s Responsible

What seems clear is that those behind the Pandora Papers intended the release to inflict reputational harm on named individuals, families, and firms. This was done in tacit cooperation — though perhaps not coordination, importantly — with media organizations that amplified the most sensational details and distorted key facts about those involved.

As Asiaciti Trust noted in its response to the incident, “The ‘Pandora Papers’ media coverage by the ICIJ and its partners is largely based on illegally obtained information and contains numerous inaccuracies and instances where important details are missing…the stories published do not represent all the facts or context of a situation [and this] has led to grossly misleading inferences and conclusions.”

The embarrassment is all the more acute because the firms named in the release aren’t able to defend themselves in the public discourse, at least not as directly as they’d like. Fiduciary obligations and client confidentiality concerns prevent specific rebuttals, however devastating the reputational harm.

Fidelity Corporate Services Limited put this quite bluntly in its own response to the release: “As a licensed registered agent,” the firm said, “we are precluded from disclosing any legally privileged information in respect to the companies under our administration, which includes information on its owners.”

Preventing The Next Pandora Papers – Best Practices To Address Cyber Vulnerabilities

We may never know who or what obtained the information that came to be known as the Pandora Papers. Ultimately, it’s less important to assign blame than to learn as much as we can from the incident in the hopes of deterring similar events in the future.

We all have a role to play, including “ordinary” individuals, families, and business enterprises with no offshore accounts or international business interests. While no defense is foolproof, these strategies can help reduce the likelihood and severity of such events:

Implementing a comprehensive information security strategy. Every organization needs a comprehensive information security strategy. This is true even of firms that don’t keep sensitive client data or provide services of interest to anyone outside their industry. Particular attention should be paid to ensuring consistent application of the principle of least permissions (providing the bare minimum of access necessary for a given employee to do their job) and maintaining tight control over personal devices used for work.
Using anti-malware software. Computer viruses, worms, trojans, and other types of malware are increasingly used in the service of data theft, extortion, and other crimes. Anti-malware protection isn’t total, but it’s infinitely better than leaving a system or network completely exposed.
Limiting system access to trusted agents. Following on the principle of least permissions, gated networks should permit as few credentialed users as possible. Access should be authorized sparingly and revoked quickly when no longer needed.
Regularly updating digital equipment and software. Outdated digital equipment and software are security risks, full stop. They should be updated long before the manufacturer or publisher ceases support; ideally, organizations should have systematic policies for cycling updates through the enterprise.
Building internal digital security teams. External digital forensics investigators can help attribute responsibility for a data incident and ascertain its scope, but they can’t spot it in real time or prevent it from occurring in the first place. That requires internal digital security expertise — a costly investment, perhaps, but one that could pay for itself again and again.

Again, no cyber defense strategy is foolproof. But organizations that attend to the details of deterrence greatly reduce their appeal to those who’d wish them harm.