WOT logo

As Certain as Death and Taxes: The Security Leak that led to the The Panama Papers

panama papers website security
An insight in what really happened…

Who’s avoiding taxes and how?

While the average citizen in many countries pays taxes, it has been an all-too-common practice of multinational corporations and the “rich and famous” to avoid tax by moving enormous amounts of money around the world to places that have made a living out of being “tax havens”. To guide them through all necessary steps is an industry of advisors who can help their clients on the way to these havens such as Monaco, The Virgin Islands, Liechtenstein, The Channel Islands or the Bahamas.

This is not an isolated trend – it’s the norm for multinationals, and this shouldn’t be a surprise to anyone. Apple pays just over 2 percent tax because they own offices and subsidiaries in Dublin, Ireland. Google and Microsoft moved most of their cash to offshore accounts in order to avoid paying tens of billions of dollars in taxes each year. Starbucks also benefits from this by operating “Starbucks Manufacturing” in my country Holland (the European Commission late last year ruled their tax breaks illegal). The list goes on… In 2015 alone, the U.S. government alone lost $90 billion in potential tax revenues due to these practices.

Guided by specialists, multinationals negotiate with foreign governments to find the cheapest place to have an office. Sometimes it’s no more than a small room with an administrator. This practice should be known as “Tax shopping”, and it’s proving to be very profitable.

These methods of avoiding tax have placed undue pressure on the average taxpayer, resulting in “John Doe” (English), “Otto Normalverbraucher” (German) or “Jan met de pet” (Dutch) needing to pay more and more tax to their governments who see so much money disappear.


Is it really the case that “Those who currently pay high tax are fools”? That’s how I feel when I see the scope of worldwide tax evasion. But how did this leak reach us? Could it be that one of the most sophisticated tax havens fell due to failing to practice basic online security measures? It’s recently been reported that the Panamanian law firm at the forefront of this scandal, Mossack Fonseca had not taken proper measures to keep its website and web server up-to-date. This made it easy for hackers to break in onto their server. Their website was running on a rather ancient version of WordPress, with the added vulnerability of a very outdated plugin, that was as leaky as a basket.

WordPress itself was NOT the problem, but a CMS (Content Management System) – and the plugins used – must be regularly updated. Same goes b.t.w. for Drupal, (rather notorious) Joomla and in fact for each CMS.

This basic practice of updating software to meet security requirements didn’t happen at Mossack Fonseca, making it simple for hackers to break in to the server. Further shocking revelation showed that the firm’s server was NOT equipped with a firewall, which normally keeps attackers out of the door.

Once hackers were inside the law firm’s network, it turned out that the mail server and a large part of the office work files of the firm were running on the same server, as well as the company website.  Downloading could thus begin to explore the gold mine of information.

I personally don’t respect cybercriminals and their methods, after all it remains illegal. But in this case, it feels like a little bad led to a lot of good. As a law-abiding taxpayer, it seems only fair that either everyone pay or no one pay.

Some clients (not all) of the Panamanian company were breaking the law, or were acting against what’s internationally seen as ethical – my hope is that they will be held accountable. However, my gut feeling is that once the dust settles, new “trust companies” will take over the market of money laundering – and the irony of the name “trust” isn’t lost on me.

This story makes one thing clear: There is no such thing as 100% secure – for better or for worse. The main takeaways from this leak are:

  • Keep your system secured – update your software, use safe surfing practices and have a multi-layered security system in place.
  • The same is applicable for a website, update your security frequently and make back ups of your files at least monthly.
  • Cybercriminals will always be motivated to access your data and will often use it for their gain – you cannot be too cautious.

For instance recently researchers here in Holland have discovered malware in popular websites like the one of the Dutch “buienradar.nl” (rain radar / weather forecast), a famous newspaper and a well known web shop of a post order company. It appeared that advertisers, unbeknownst to them, were infected with Cryptolocker malware. And through the advertisements placed on those websites many people were infected. This is just one two-step strategy cybercriminals use to stay out of sight.

Stay safe out there!

Written by: Peter in The Netherlands

Web of Trust member: “Dutch Mountain”

Website: www.peterswebsafety.com

Leave a Reply

Your email address will not be published. Required fields are marked *