Recently the Panama Papers burst upon the world's notice. You know, the enormous leak of confidential documents showing tax evasion and worse on the part of the worlds millionaires/billionaires and web site owners and producers should be paying attention.
The leak originated with the Mossack Fonseca law firm in Panama, hence "Panama Papers."
How did this leak occur?
What is know of how the hacker(s) gained access is a fairly sordid tale involving hubris, stupidity, sloppy web hygiene, and illegal actions.
In fact, it would make a good movie if it weren't so downright ordinary.
Because it appears that the hacker gained access because the law firm or its website creator was either too lazy or too stupid to keep it up to date.
Let me rephrase that… the hacker got in because the firm was running versions and plugin(s) that were way out of date.
The website used a WordPress platform which is without a doubt the best, most flexible platform for a small business website. We suggest it for every business we work with, and half of the tools we recommend are WordPress plugins or add-ons.
But, like an operating system on your computer, with all that functionality comes some concern for security. The WordPress software was three months out of date plus another linked software was almost two years out of date.
The theme was a template (non-custom) three-year-old version of TwentyEleven (version 1.5 – the time of the hack it was at version 2.4). Now, I won't mention my contempt for a law firm catering to billionaires that uses the cheap theme instead of considering a premium theme or custom (built from ground up) site, that poor judgement has turned out to have large consequences for not just the law firm but its clients as well.
Should I be worried about my site?
The answer to this question isn't that simple. Mossack Fonseca was a target here mainly because they were involved in potentially illicit activities with high-profile clients and lots of money. Most businesses we cater for don't include client information that’s critical the way Mossack Fonseca's clients information was. The hackers were sophisticated, more so than your general cyber-criminal, and would probably only target businesses like these with high stakes.
But any business can be at risk for cyber crime, particularly if you handle some of your commerce online. If a hacker can gain access to sensitive information, they can also do all sorts of nasty things to your site. Once in, hackers can do a lot of damage.
In this case the attack was very common and done via frequently created robots to hit vulnerable out of date sites, once found it logs on and hack into the database.
That's why you should take away the following lessons from this incident:
Choose the best web host you can afford.
Choose a strong username and password.
Choose web production that has secure themes or custom production, that means selecting a reputable web designer.
Quality add ons or plugins.
Maintain and update your site regularly.
This is where Mossack Fonseca fell down, and there's really no excuse for it. Like housework its boring and repetitive, but it's simpler when you do it regularly.
Updating would involve updating plugins, themes and CMS, making regular backups that are not on same server and delete spam comments.