LuxLeaks. Mauritius Leaks. The Panama Papers. The Pandora Papers. – All made international headlines for days or weeks after their release. All ensnared dozens if not hundreds of individuals, families, and businesses — releasing sensitive private records into full public view. Their repercussions continue long after they’ve faded from the headlines.
The Pandora Papers tranche was the largest and farthest-reaching release yet. Revealed in October 2021 by the International Consortium of Investigative Journalists (ICIJ), a group of media professionals working for some 100 organizations in Europe, North America, and Asia, the Pandora Papers contained more than 12 million private records taken from blue-chip financial and legal services firms. These firms serve members of the global elite — high-net-worth individuals and families, including some powerful politicians.
For the most part, these firms were international fiduciaries: Asiaciti Trust, Fidelity Corporate Services Limited, Il Shin, and others. They operated in strict compliance with applicable international financial regulations and ethical standards. They took pains to ensure that they knew where their clients’ funds came from.
Yet they still faced swift public backlash from sensational and sometimes inaccurate stories published by the more than 300 journalists — many of whom, while dedicated to their craft, were not subject matter experts — working with the ICIJ. While the reputational damage can’t easily be undone, those affected have reason to ask: Could it have been prevented?
This is a challenging question to answer because the origins of the Pandora Papers remain murky and may never be fully understood. But we can use what we know about this and similar large-scale data incidents to evaluate plausible explanations. Perhaps more importantly for organizations concerned about their own cyber vulnerabilities, we can take a number of broadly applicable lessons from this unfortunate event that could prevent similar outcomes in the future.
Efforts to expose the origins of the Pandora Papers and the identities of those responsible are complicated by the fact that the very nature of the release remains unclear.
All the public knows is what has been released publicly. This may or may not be the entirety of the information obtained in the incident. If law enforcement authorities know more, they’re remaining tight-lipped for now as the investigation continues.
Some of the affected organizations aren’t waiting for law enforcement to present their findings. They’ve hired private digital forensics investigators to look into the incident and piece together what occurred.
The results of these investigations have been surprising. At least as far as has been publicly disclosed, no one has been able to uncover clear evidence of digital intrusion involving information that later appeared in the Pandora Papers release. If the Pandora Papers were in part or whole obtained via such an intrusion, those responsible did well to conceal their activities.
This is not conclusive proof or disproof of anything. But it does strongly suggest that those responsible for this incident were sophisticated, determined, and disciplined. And it narrows the range of those who could plausibly be responsible, putting the event beyond the capabilities of the vast majority of malicious cyber actors operating today.
We’re left to conclude that the Pandora Papers was the work of a sophisticated and determined cyber force. Unfortunately, this leaves us no closer to identifying that force. We can only speculate.
One possible explanation for this event quickly gained traction in the days following the initial release — that the Pandora Papers was an inside job.
The idea is plausible and appealing to investigators stumped by the lack of evidence of digital intrusion. It’s much easier for actors to cover their tracks when they have valid credentials to access sensitive data and documents and legitimate reasons to seek that information. Even highly capable digital investigators might not be able to prove beyond a reasonable doubt that an insider improperly obtained information from their own employer.
However, the “inside job” theory withers on closer inspection. Yes, the idea is plausible, but it’s highly impractical at the scale of the Pandora Papers. This release contained some 12 million records — that we know about — obtained from more than a dozen organizations. The sheer number of insiders who’d need to participate, and the amount of coordination they’d need to achieve to get what they needed, markedly reduces the likelihood of this theory.
Moreover, the “inside job” concept risks oversimplifying human behavior, which we know to be quite complex and not always rational. It assumes similar motivations on the part of a dense, diverse network of insiders spread across the world. While any given person can choose to “turn” at any given point in time, the likelihood of so many doing so at the same time is low. And if — as is likely — many insiders weren’t ready to “turn” on their own, any organizing or instigating party would need to invest considerable resources and time in influencing their behavior.
This all seems implausible. So let’s table the “inside job” idea and move on. If a complex network of malicious insiders wasn’t responsible for obtaining the records that came to be known as the Pandora Papers, who was?
We’ve edged toward the conclusion that the Pandora Papers could not be the work of a coordinated group of insiders. We also have strong evidence that those responsible are highly sophisticated, disciplined, and adept at concealing their activities.
Together, these clues point us toward a few possibilities:
What seems clear is that those behind the Pandora Papers intended the release to inflict reputational harm on named individuals, families, and firms. This was done in tacit cooperation — though perhaps not coordination, importantly — with media organizations that amplified the most sensational details and distorted key facts about those involved.
As Asiaciti Trust noted in its response to the incident, “The ‘Pandora Papers’ media coverage by the ICIJ and its partners is largely based on illegally obtained information and contains numerous inaccuracies and instances where important details are missing…the stories published do not represent all the facts or context of a situation [and this] has led to grossly misleading inferences and conclusions.”
The embarrassment is all the more acute because the firms named in the release aren’t able to defend themselves in the public discourse, at least not as directly as they’d like. Fiduciary obligations and client confidentiality concerns prevent specific rebuttals, however devastating the reputational harm.
Fidelity Corporate Services Limited put this quite bluntly in its own response to the release: “As a licensed registered agent,” the firm said, “we are precluded from disclosing any legally privileged information in respect to the companies under our administration, which includes information on its owners.”
We may never know who or what obtained the information that came to be known as the Pandora Papers. Ultimately, it’s less important to assign blame than to learn as much as we can from the incident in the hopes of deterring similar events in the future.
We all have a role to play, including “ordinary” individuals, families, and business enterprises with no offshore accounts or international business interests. While no defense is foolproof, these strategies can help reduce the likelihood and severity of such events:
Again, no cyber defense strategy is foolproof. But organizations that attend to the details of deterrence greatly reduce their appeal to those who’d wish them harm.
If you are interested in even more business-related articles and information from us here at Bit Rebels, then we have a lot to choose from.
In a nation as vast and diverse as the United States, the act of moving…
Efficient delivery operations are crucial as customer expectations for speed and flexibility continue to rise.…
For more than a decade, technology has been a game-changer for businesses. However, with today’s…
When used effectively, loans can be a lifeline. However, as with any product or service,…
Whether it is a small startup or a global enterprise, security flaws in software can…
Parents seeking the best for their babies often explore formulas that combine premium nutrition with…