arrow-line asset-bg bars-line calendar-line camera-line check-circle-solid check-line check-solid close-line cursor-hand-line image/svg+xml filter-line key-line link-line image/svg+xml map-pin mouse-line image/svg+xml plans-businessplans-freeplans-professionals resize-line search-line logo-white-smimage/svg+xml view-list-line warning-standard-line
Articles

The Paradise Papers: Data Leaks, Reputational Damage and The Cost of Cyber Security Failings

Only a year and a half on from the publication of the Panama Papers, another massive data leak has hit the offshore services industry, leaving a maelstrom of negative headlines in its wake. The developments have highlighted more than ever the need for offshore services providers to invest in robust cyber security measures to protect the sensitive data they hold.
Paradise Papers

THE STORY SO FAR

The leaked data originates primarily from the Bermudabased law firm Appleby, who have confirmed that they experienced a “data security incident” back in 2016. Smaller firms such as Asiaciti Trust, the Singapore-based trust and corporate services provider, have also been implicated. All in all, 1.4 terabytes of data have been leaked, including over 13.4 million documents, covering tax arrangements for clients in over 19 jurisdictions. As was the case with the Panama Papers, the trove of leaked documents was originally obtained by German newspaper Süddeutsche Zeitung and the International Consortium of Investigative Journalists, which collaborates with 95 media partners around the world, significantly amplifying the impact of the leak. Staggered media reporting over the last two weeks has shed light on the widespread use of offshore structures by prominent corporations from across Europe and the USA, including Apple and the Crown Estate, the United Kingdom’s sovereign estate holder. Media commentary of the leaks has stirred considerable public debate over the practice of offshore tax planning.

PANAMA PAPERS 2.0?

While some media outlets have been quick to draw comparisons with the larger 2016 leak, the contents of this more recent data leak do not appear to be as significant from an anti-money laundering and regulatory compliance perspective. In stark contrast with the Panama Papers, which implicated numerous global leaders in corrupt schemes and resulted in high-profile political casualties, early indications are that this leak may contain little obvious evidence of criminality. A lot of the ‘revelations’ published by media outlets to date have focused on exposing common offshore tax planning arrangements which are widely used by UHNW individuals and large corporations globally. While the Panama Papers caused international outrage and rightly prompted compliance officers across the financial services world to review their KYC/AML procedures and look closely at their exposure to politically exposed persons (PEPs), this most recent leak appears to have primarily ‘shed light’ on an internationally accepted and entirely legal, if not always uncontentious, business practice.

THE PRICE OF CYBER SECURITY FAILINGS

The lack of criminality – to date at least - exposed in the Paradise Papers hardly makes the leak less damaging. For those individuals and corporations whose private data has now reached the public domain, and for the companies – chief among them Appleby – whose systems were compromised, the adverse publicity generated by the leak could well inflict significant reputational damage. 

Appleby reportedly hired a leading international cyber security team to perform a digital forensic investigation after they became aware of the data security incident in 2016. However, there is still uncertainty as to exactly how the leak occurred. In a statement, Appleby blamed the leak not so much on the actions of a whistleblower or internal staff member, but instead characterised the events as a highly sophisticated breach executed by “an intruder who deployed the tactics of a professional hacker”. The firm has stated that there is still no definitive evidence of an intruder accessing Appleby’s systems or data being stolen. 

The incident highlights the considerable risks faced by offshore services firms who handle sensitive private data on behalf of their corporate and individual clients. Leaks and breaches of this nature – from Swiss Leaks to Lux Leaks to the most recent Paradise edition - are occurring with increasing regularity, demonstrating that even larger firms such as Appleby whose cyber security procedures are relatively sophisticated are vulnerable to attack. The publicity surrounding each successive breach only compounds the problem, as increased media coverage risks attracting hackers and offshore-focused ‘hacktivists’ to target the sector in increasing numbers.

FOLLOWING BEST PRACTICE, STAYING PROTECTED

Offshore services providers will need to review their cyber security posture in the wake of the Paradise Papers leak to limit the risk of becoming another ‘data leak’ test case. While the underlying reasons behind breaches and leaks can vary widely, basic gaps in policies, procedures and practices are often to blame. S-RM’s cyber security team specialises in helping clients understand and respond to cyber security risks by communicating technical details and remediation measures in simple, practical terms. We also test the effectiveness of security measures with vulnerability scanning, penetration testing, social engineering tests and incident management exercises.

S-RM’s GSI is the simplest way to get a fresh perspective on the security risks affecting you, your work, and your travel.

Find out more